Cold Fusion applications bypass security (165998)


The information in this article applies to:

  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0
This article was previously published under Q165998
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

Cold Fusion template files that should be only accessible to authenticated users are also getting returned to other users.

CAUSE

The Cold Fusion ISAPI dll file is running in a manner that does not preserve the user context. Therefore, it allows the cfm file to run solely based on the permissions assigned the Cold Fusion dll (Iscf.dll) file.

WORKAROUND

Contact Adobe Support to obtain the appropriate file or files that you must have to resolve the problem. For more information, visit the following Web site:

http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_17883#MX701

MORE INFORMATION

The third-party products discussed here are manufactured by vendors independent of Microsoft. We make no warranty, implied or otherwise, regarding performance or reliability of these products.
Modification Type:MinorLast Reviewed:6/30/2006
Keywords:kb3rdparty kbprb KB165998
©2004 Microsoft Corporation. All rights reserved.