| VID |
21215 |
| Severity |
30 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CGI, GetFile.cfm in the ColdFusion Server allows remote users to read any file.
Macromedia ColdFusion is a web application server. The sample program 'GetFile.cfm' in the Allaire Forums 2.0.4 and earlier could allow remote attackers to read arbitrary files by specifying the filename as an argument to the 'filename' parameter.
* References:
http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9902&L=ntbugtraq&F=&S=&P=2788
* Platforms Affected:
Allaire Forums 2.0.4 and earlier |
| Recommendation |
Upgrade to the latest version of Allaire Forums (2.0.5 or later), as listed in Macromedia Security Bulletin ASB99-05, "Allaire Forums Security Issues" at http://www.macromedia.com/v1/handlers/index.cfm?ID=9602
Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that are not exposed to potentially hostile networks. Specially, remove example applications stored in the /CFDOCS/exampleapps directory.
All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full |
| Related URL |
CVE-1999-0800 (CVE) |
| Related URL |
229 (SecurityFocus) |
| Related URL |
1748 (ISS) |
|
