COMMAND

    service pack 6

SYSTEMS AFFECTED

    WinNT with SP6

PROBLEM

    Zachary Bedell found following.  He has a ColdFusion 4.0.1  server
    that was just upgraded  from SP4 to SP6,  and there seems to  be a
    change  in  the  behavior  for  ColdFusion  execution  under  IIS.
    ColdFusion files are set to run as executables on the server,  not
    as scripts (Script Engine is unchecked in the Application Settings
    for  .cfm  files  in  MMC).   That  setting  allowed  a URL of the
    following format to work:

        www.server.com/dir/download.cfm/actualfilename.ext?id=blah¶m2=blah
        etc=etc <---  Note  that   download.cfm  would  execute,   not
                      actualfilename.ext.

    That way,  a file  could be  'hidden' behind  a CF page, requiring
    some sort of authentication.  When the payload file was dispensed,
    the CF  page grabbed  the file  from outside  of the webroot using
    CFFILE.   The  MIME  headers  were  set  to reflect the file type,
    and the 'actualfilename.ext' section of the URL tricked both IE  &
    Netscape  into  defaulting  to  the  actual  filename  instead  of
    'download.cfm.'   The  file  download.cfm  ran  with that URL, and
    everything was fine under SP4.   After upgrading to SP6, that  URL
    now returns a 404  error, as it seems  the webserver is trying  to
    return a  page named  /dir/download.cfm/actualfilename.ext instead
    of actually running download.cfm.

    It seems that either: 1)  IIS is ignoring the setting  for 'Script
    Engine'  in  the  MMC  and  running  CF  as a script instead of an
    executable, or 2)  the behavior of  IIS's URL parsing  has changed
    somehow & the Script Engine setting no longer effects it.

SOLUTION

    Nothing yet.