I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:
I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.
In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.
Here's the structure:
(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem
If you go to www.mainsitename.org
, that unique site works fine;
If you go to www.sitename.com/somedirectory/
the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;
if you go to www.sitename.corg/somedirectory/index.cfm
- the server finds a compromised cfm file and executes it.
Now, the compromised file is a typeof redirect to another site that sells cialis....
The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.
this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.