Cold Fusion Applications Bypass Security

ID: Q165998


The information in this article applies to:
  • Microsoft Internet Information Server versions 2.0, 3.0


SYMPTOMS

Cold Fusion template files that should be only accessible to authenticated users are also getting returned to other users.


CAUSE

The Cold Fusion ISAPI dll file is running in a manner that does not preserve the user context. Therefore, it allows the cfm file to run solely based on the permissions assigned the Cold Fusion dll (Iscf.dll) file.


WORKAROUND

Allaire is working on a new version of the .dll file (maintenance fix 2.02) that will resolve the problem.


MORE INFORMATION

The third-party products discussed here are manufactured by vendors independent of Microsoft. We make no warranty, implied or otherwise, regarding performance or reliability of these products.

Keywords : kb3rdparty
Version : Winnt:2.0,3.0
Platform : winnt
Issue type : kbprb


Last Reviewed: May 4, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.