| VID |
21014 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The remote web server appears to be running Cold Fusion application server installed a utility called the "Expression Evaluator". The Expression Evaluator is a sample script included with ColdFusion (through version 4.0) to demonstrate to users how to use the expression evaluation features of ColdFusion.
A vulnerability exists in this script that could allow remote attackers to view or delete arbitrary files on the server. Normally this program is only accessible from the localhost machine (127.0.0.1), but when accessed directly allows connections from any host. It was later found that, in addition to reading and deleting files on the server, it is possible to upload (create) files on the server, which could be used to further compromise the system.
There are basically 3 important files in this exploit that any web user can access by default: - - "/cfdocs/expeval/openfile.cfm"
- "/cfdocs/expeval/displayopenedfile.cfm"
- "/cfdocs/expeval/exprcalc.cfm"
The first one lets you upload a file via a web form. The second one saves the file to the server. The last file reads the uploaded file, displays the contents of the file in a web form and then deletes the uploaded file. |
| Recommendation |
1. Install the Cold Fusion 4.0.1 Update from the Allaire web site. See References.
2. Obtain and install the appropriate ColdFusion Expression Evaluator Security Patch, available at http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full.
3. Users who do not wish to patch their systems should remove the applications from //CFDOCS/expeval (namely evaluate.cfm). |
| Related URL |
CVE-1999-0455,CVE-1999-0477 (CVE) |
| Related URL |
115 (SecurityFocus) |
| Related URL |
1740 (ISS) |
|
