Re: KPMG-2002013: Coldfusion Path Disclosure

In-Reply-To: <000701c1e6d0$cc7350e0$1f00a8c0@KPMGIRMPGRUNDL>

Usually, the preferred solution will be to use a Site-wide 
Error Handler.

ColdFusion provides for a "Site-wide Error Handler" 
template.  This is located at the bottom of the "Settings" 
page in the ColdFusion Administrator.  This allows the 
application developer to control exactly what is displayed 
when ColdFusion encounters an error.  

This is recommended practice for production ColdFusion 
sites, and applies to all unhandled errors, not just those 
caused by reserved DOS filenames such as NUL and PRN.  

If, for some reason, a Site-wide Error Handler is not 
desired - the workaround, as described by Mr. Gründl, can 
be used to prevent DOS reserved filenames from being 
specified as ColdFusion templates.

If this method is chosen, then all requests for non-
existent templates (i.e. HTTP 404's)  will display the IIS 
response rather than the standard ColdFusion response, 
since IIS will check for the file's existence before 
requesting that the ColdFusion ISAPI Extension process the 
file.

Tom Donovan
Macromedia ColdFusion