Title: Allaire ColdFusion Remote File Display, Deletion, Upload and Execution Vulnerability
Severity: MODERATE
Description:
A security vulnerability allows remote web users to delete and display any file in the system, as well as possibly allow the upload and execution of ColdFusion files.
A default installation of Cold Fusion Server includes sample code and documentation that is available to web browsing users. One of these sample applications, the expression evaluator, allows users to experiment with ColdFusion expressions. It gives you the option to upload a file, which it will the process and display and subsequently delete. Normally access to the application is restricted to the local machine. However, some pages in the application can be acessed directly. By passing it a handcrafted URL you can order it to display and delete any file on the system.
The expression calculator is composed of several files. openfile.cfm and openedfile.cfm allows you to upload a file to the sever. exprcalc.cfm processes the uploaded file, displays it and then deletes it.
By using exprcacl.cfm to delete itself we can upload a file to the server that will not be deleted which we can then try to execute.
Affected Products:
- Allaire ColdFusion Server 2.0.0
- Allaire ColdFusion Server 3.0.0
- Allaire ColdFusion Server 3.0.1
- Allaire ColdFusion Server 3.1.0
- Allaire ColdFusion Server 3.1.1
- Allaire ColdFusion Server 3.1.2
- Allaire ColdFusion Server 4.0.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
