| VID |
21013 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The remote web server appears to be running Cold Fusion application server installed a utility called the "Expression Evaluator". The Expression Evaluator is a sample script included with ColdFusion (through version 4.0) to demonstrate to users how to use the expression evaluation features of ColdFusion.
A vulnerability exists in this script that could allow remote attackers to view or delete arbitrary files on the server. Normally this program is only accessible from the localhost machine (127.0.0.1), but when accessed directly allows connections from any host. It was later found that, in addition to reading and deleting files on the server, it is possible to upload (create) files on the server, which could be used to further compromise the system.
There are basically 3 important files in this exploit that any web user can access by default:
- "/cfdocs/expeval/openfile.cfm"
- "/cfdocs/expeval/displayopenedfile.cfm"
- "/cfdocs/expeval/exprcalc.cfm"
The first one lets you upload a file via a web form. The second one saves the file to the server. The last file reads the uploaded file, displays the contents of the file in a web form and then deletes the uploaded file.
* References:
http://www.atstake.com/research/advisories/1999/cfusion.txt
http://www.phrack.com/show.php?p=54&a=8
http://www.macromedia.com/v1/handlers/index.cfm?ID=8727
* Platforms Affected:
ColdFusion Server 4.0 and earlier
Windows Any version |
| Recommendation |
Install the Cold Fusion 4.0.1 Update, available from the Macromedia Web site, "ColdFusion 4.0.1 Update" at http://www.macromedia.com/v1/handlers/index.cfm?ID=10712
Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that are not exposed to potentially hostile networks. Specially, remove example applications stored in the /CFDOCS/exampleapps directory.
All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full |
| Related URL |
CVE-1999-0455,CVE-1999-0477 (CVE) |
| Related URL |
115 (SecurityFocus) |
| Related URL |
1740 (ISS) |
|
