| VID |
21258 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CGI, sourcewindow.cfm in the ColdFusion Server allows remote users to read any file.
Macromedia ColdFusion is a web application server. The sample program 'sourcewindow.cfm' in the ColdFusion Server 4.0 on the Windows system could allow remote attackers to read arbitrary files by specifying the filename as an argument to the 'Template' parameter.
* References:
http://xforce.iss.net/xforce/alerts/id/advise92
http://www.macromedia.com/v1/handlers/index.cfm?ID=8739
* Platforms Affected:
ColdFusion Server 4.0
Windows Any version |
| Recommendation |
Install the Cold Fusion 4.0.1 Update, available from the Macromedia Web site, "ColdFusion 4.0.1 Update" at http://www.macromedia.com/v1/handlers/index.cfm?ID=10712
Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that are not exposed to potentially hostile networks. Specially, remove example applications stored in the /CFDOCS/exampleapps directory.
All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full |
| Related URL |
CVE-1999-0922,CVE-1999-0923 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1744 (ISS) |
|
