SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Adobe ColdFusion Vendors:   Macromedia
ColdFusion MX Configuration Error When Used With IIS and NT Authentication May Grant Unauthorized Access to Remote Authenticated Users
SecurityTracker Alert ID:  1006023
SecurityTracker URL:  http://securitytracker.com/id/1006023
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 30 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): MX
Description:   A configuration issue was reported in Macromedia's ColdFusion MX. A remote authenticated user may be incorrectly granted access to files when in a specific configuration using NT Authentication.

Macromedia issued a security bulletin (MPSB03-02) warning of a security issue with ColdFusion MX when using Windows NT Authentication and Windows file permissions.

All Editions of ColdFusion MX on the Microsoft Windows Platform with Microsoft Internet Information Server (IIS) are affected.

According to the report, when ColdFusion MX is used with Microsoft IIS, Windows NT Authentication, and NTFS file permissions, it is necessary to configure IIS to check the file permissions before passing the request to ColdFusionMX. If not properly configured, a remote authenticated user may gain unauthorized access to ColdFusion templates and directories.

Impact:   A remote authenticated user may be able to access ColdFusion templates and directories that the user is not permitted to access.
Solution:   Several steps to perform the correct configuration are presented. These steps are:

1) Set IIS to check template files
2) Create additional .cfm files
3) Configure IIS to handle missing template files

For detailed directions covering each step, see the vendor advisory:

http://www.macromedia.com/v1/handlers/index.cfm?ID=23734

Vendor URL:  www.macromedia.com/v1/handlers/index.cfm?ID=23734 (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Macromedia MPSB03-02


http://www.macromedia.com/v1/handlers/index.cfm?ID=23734

Macromedia issued a security bulletin (MPSB03-02) warning of a security issue with ColdFusion MX
when using Windows NT Authentication and Windows file permissions.

All Editions of ColdFusion MX on the Microsoft Windows Platform with Internet Information Server
(IIS) are affected.

According to the report, when ColdFusion MX is used with Microsoft IIS, Windows NT Authentication,
and NTFS file permissions, it is necessary to configure IIS to check the file permissions before
passing the request to ColdFusionMX.  If not properly configured, a remote authenticated user may
gain unauthorized access to ColdFusion templates and directories.

Several steps to perform the correct configuration are presented.  These steps are:

1) Set IIS to check template files
2) Create additional .cfm files
3) Configure IIS to handle missing template files

For detailed directions covering each step, see the vendor advisory.

-----

January 30, 2002 - Bulletin first released.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC