| VID |
22432 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The ColdFusion MX program is vulnerable to an information disclosure vulnerability via a double-encoded null byte. Abobe Macromedia ColdFusion is a product for developing and deploying web applications. Adobe ColdFusion MX versions 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, could allow a remote attacker to obtain sensitive information. By sending in a filename followed by a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file, a remote attacker could read arbitrary files, list directories, or read source code.
* References:
http://www.adobe.com/support/security/bulletins/apsb07-02.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=466
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0199.html
http://www.frsirt.com/english/advisories/2007/0116
http://securitytracker.com/id?1017490
http://secunia.com/advisories/23668
* Platforms Affected:
Adobe, ColdFusion MX 7.0.2
Adobe, ColdFusion MX 7.0.1
Adobe, ColdFusion MX 7
Adobe, JRun 4.0
Microsoft Windows Any version |
| Recommendation |
Apply the patch for this vulnerability, as listed in Adobe Security bulletin APSB07-02 at http://www.adobe.com/support/security/bulletins/apsb07-02.html |
| Related URL |
CVE-2006-5858 (CVE) |
| Related URL |
21978 (SecurityFocus) |
| Related URL |
31411 (ISS) |
|
