• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1092
  • Last Modified:

Cold Fusion Link CFM Throwing 404 Error File or directory not found IIS

I recently inherited a Cold Fusion based site. This site is hosted in a shared hosting environment on IIS. I am very familiar with ASP and .NET, but have never used Cold Fusion before.

The link in question is passing the property name, region and city to a query that is querying a .mdb file (Access Database).

http://www.clia.com/all_properties.cfm?city=Anaheim®ion=Orange%20County
The above link will take you to a listing of properties in Anaheim and in the region of Orange County.

You will notice the first listing on the page is Alamo Inn & Suites. Clicking this link will bring up the details for this listing.

http://www.clia.com/property_detail.cfm?property=Alamo%20Inn%20%26%20Suites®ion=Orange County&city=Anaheim

Now, if you go back to the Anaheim/Orange County listings, and click the LAST link on the page (Castle Inn & Suites): http://www.clia.com/property_detail.cfm?property=Castle%20Inn%20%26%20Suites®ion=Orange County&city=Anaheim You get the typical file not found error (in IE or Firefox):

HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)

Both links go to the same CFM page, so they use the SAME query! And when you compare them, and when you look at what is in the database records, it doesn’t make sense (to me anyway).

Works: http://www.clia.com/property_detail.cfm?property=Alamo%20Inn%20%26%20Suites®ion=Orange County&city=Anaheim

Doesn’t Work: http://www.clia.com/property_detail.cfm?property=Castle%20Inn%20%26%20Suites®ion=Orange County&city=Anaheim
Basic Query in the CFM file:
<cfquery name="property_details" datasource="clia_members">
SELECT *
FROM "Active Property Member Query"
WHERE "Active Property Member Query".UPANAME = '#URLDecode(URL.property)#'
AND "Active Property Member Query".UPACITY = '#URL.city#'
</cfquery>

Active Property Member Query:
SELECT [Contact Tables Join Query].[Contact1_ACCOUNTNO], [Contact Tables Join Query].[CONTACT], [Contact Tables Join Query].[COMPANY], [Contact Tables Join Query].[KEY2], [Contact Tables Join Query].[UPANAME], [Contact Tables Join Query].[UPAADR1], [Contact Tables Join Query].[UPAADR2], [Contact Tables Join Query].[UPACITY], [Contact Tables Join Query].[UPASTATE], [Contact Tables Join Query].[UPAZIP], [Contact Tables Join Query].[UPHONEPROP], [Contact Tables Join Query].[UPHONERES], [Contact Tables Join Query].[UPHONEPRPF], [Contact Tables Join Query].[UPAEMAIL], [Contact Tables Join Query].[UPAWEBADR], [Contact Tables Join Query].[UTSDESC1], [Contact Tables Join Query].[UTSDESC2], [Contact Tables Join Query].[UTSDESC3], [Contact Tables Join Query].[UTSDESC4], [Contact Tables Join Query].[UTSDESC5], [Contact Tables Join Query].[UTSDESC6], [Contact Tables Join Query].[UTSDESC7], [Contact Tables Join Query].[UREGION]
FROM [Contact Tables Join Query]
WHERE ((([Contact Tables Join Query].[KEY2])="MB" Or ([Contact Tables Join Query].[KEY2])="MS" Or ([Contact Tables Join Query].[KEY2])="MM" Or ([Contact Tables Join Query].[KEY2])="ML" Or ([Contact Tables Join Query].[KEY2])="MV"));

Contact Tables Join Query:
SELECT Contact1.ACCOUNTNO AS Contact1_ACCOUNTNO, Contact1.CONTACT, Contact1.COMPANY, Contact1.KEY1, Contact2.UPANAME, Contact1.KEY2, Contact2.UHEADING1, Contact2.UHEADING2, Contact2.UPAADR1, Contact2.UPAADR2, Contact2.UPACITY, Contact2.UPASTATE, Contact2.UPAZIP, Contact2.UPHONEPROP, Contact2.UPHONERES, Contact2.UPHONEPRPF, Contact2.UPAEMAIL, Contact2.UPAWEBADR, Contact2.UTSDESC1, Contact2.UTSDESC2, Contact2.UTSDESC3, Contact2.UTSDESC4, Contact2.UTSDESC5, Contact2.UTSDESC7, Contact2.UTSDESC6, Contact2.UENDORSED, Contact2.UREGION
FROM Contact2 INNER JOIN Contact1 ON Contact2.ACCOUNTNO = Contact1.ACCOUNTNO;

Open in new window

clia-good.jpg
clia-bad.jpg
0
Druac
Asked:
Druac
  • 5
  • 4
1 Solution
 
gdemariaCommented:

The region is not URL encoded, it has a space in the middle of the value

 &region=Orange County&....

That space is breaking the web address

You should locate that link, and see how the property=  value is using URLencodedFormat()

You want to use this same function around the region variable so that it is also URL encoded (it will replace the space with the %20)
0
 
DruacAuthor Commented:
Ok, thanks for the heads-up, I should have noticed that. However, BOTH links use the SAME code and neither had the region OR city URL encoded...and the first STILL worked (same city and region as the link that isn't working, by the way).

Any who, I went ahead and applied the URL encoding to both the city and region, and even after the change the bad link still throws a 404 error :(
0
 
gdemariaCommented:
Somewhere I suspect you have some code attempting to protect you from SQL injection.   The word "Cast" in your property=  parameter seems to be the culprit.

If you change the URL from property=castle to    property=casXtle  you will see it works.

The SQL injection detector is probably checking for keywords such as CAST() and intentionally throwing the page not found error.

This code needs some work to allow the legitimate values..
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
DruacAuthor Commented:
First, thank you very much for your help thus far! I think we are on the right track! :)

Ok, I have confirmed your anti-SQL Injection theory (I think) by renaming them to "Casle Inn & Suites". The link now works. Now I just need to figure out where this is happening. So far, no luck. :(

I have attached the code that is both building the href links in all_properties.cfm and the query in property_detail.cfm. Neither looks like it is doing any SQL injection routines...to me any way.

Am I missing some other place that this might be happening? There are include files being used on these pages, but none of them reference anything to do with the SQL stuff.
href links in all_properties.cfm:
<cfparam name="URL.type" default="all">

<cfquery name="property_details" datasource="clia_members">
SELECT *
FROM"Active Property Member Query"
WHERE"Active Property Member Query".UPACITY = '#URL.city#'
<cfif #URL.type# EQ "bb">
	AND "Active Property Member Query".KEY2 = 'mb'
</cfif>
ORDER BY"Active Property Member Query".COMPANY
</cfquery>

<cfoutput query="property_details">
<cfif IsDefined ("URL.region")>
			  <a href="property_detail.cfm?property=#URLEncodedFormat(property_details.UPANAME)#&region=#URLEncodedFormat(URL.region)#&city=#URLEncodedFormat(URL.city)#"><u class="sectionHeadNav">#property_details.UPANAME#</u></a></font></strong><font size="2" face="Arial, Helvetica, sans-serif"><br>
          <cfelse>
			  <a href="property_detail.cfm?property=#URLEncodedFormat(property_details.UPANAME)#&city=#URLEncodedFormat(URL.city)#"><u class="sectionHeadNav">#property_details.UPANAME#</u></a></font></strong><font size="2" face="Arial, Helvetica, sans-serif"><br>
		  </cfif>

Query in property_detail.cfm:
<cfquery name="property_details" datasource="clia_members">
SELECT *
FROM "Active Property Member Query"
WHERE "Active Property Member Query".UPANAME = '#URLDecode(URL.property)#'
AND "Active Property Member Query".UPACITY = '#URLDecode(URL.city)#'
</cfquery>

Open in new window

0
 
gdemariaCommented:
I would look in your application.cfm  or application.cfc file

The chances are that the code is global and enacts on all pages, so that's probably where it would be
0
 
DruacAuthor Commented:
Still looking into this. Ran out of time last week. I have not yet found where it is doing the anti-SQL Injection code. It doesn't look like it is directly from the application.cfm file. Very little going on in that file. I will post more as soon as I get a chance. Thanks.
0
 
gdemariaCommented:
Try a global search on "CAST"
0
 
DruacAuthor Commented:
I have tried the global search for CAST and have not found where this is happening. I give up for now...just don't have the time right now. But thanks for the help!
0
 
DruacAuthor Commented:
I don't have the time to keep after this at the moment. I think we were on the right track, but I am unable to find where the SQL injection detector is on this coldfusion site.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now