| VID |
21259 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CGI, viewexample.cfm in the ColdFusion Server allows remote users to view the source of any CFM file.
Macromedia ColdFusion is a web application server. The sample program 'viewexample.cfm' in the ColdFusion Server 4.0 and earlier on the Windows system could allow remote attackers to read arbitrary CFM files by specifying the CFM filename as an argument to the 'Tagname' parameter. This could allow the attacker to gain proprietary information, such as usernames and passwords, contained in the source code.
* References:
http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
* Platforms Affected:
ColdFusion Server 4.0 and earlier
Windows Any version |
| Recommendation |
Install the Cold Fusion 4.0.1 Update, available from the Macromedia Web site, "ColdFusion 4.0.1 Update" at http://www.macromedia.com/v1/handlers/index.cfm?ID=10712
Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that are not exposed to potentially hostile networks. Specially, remove example applications stored in the /CFDOCS/exampleapps directory.
All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full |
| Related URL |
CVE-1999-0923 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1741 (ISS) |
|
