ColdFusion Expression Evaluator allows remote file manipulation
| coldfusion-expression-evaluator (1740) |  High Risk |
Description:
The Expression Evaluator (packed in ColdFusion) could allow a remote attacker to view, delete, or upload (create) arbitrary files on the server. Normally, the Expression Evaluator program is accessible only from the localhost computer (127.0.0.1), but when accessed directly it allows connections from any host.
Platforms Affected:
- Macromedia, ColdFusion
- Microsoft, Windows 2000
- Microsoft, Windows 2003 Server
- Microsoft, Windows NT 4.0
Remedy:
Apply the Cold Fusion 4.0.1 Update, as listed in Allaire Security Bulletin ASB99-01. See References.
— OR —
Apply the appropriate ColdFusion Expression Evaluator Security Patch for your system, as listed in Allaire Security Bulletin ASB99-01. See References.
— OR —
If you do not wish to apply the 4.0.1 Update or the Cold Fusion Evaluator Security Patch, remove the Cold Fusion Expression Evaluator (evaluate.cfm) from //CFDOCS/expeval.
— AND —
Allaire recommends removing all sample code, example applications, tutorials and documentation from production servers. As a rule, sample code and example applications should not be installed on production servers.
Consequences:
File Manipulation
References:
- @stake, Inc./L0pht Security Advisory 04/20/99, Cold Fusion Application Server at http://www.webproxy.com/research/advisories/1999/cfusion.txt.
- Macromedia Web site, ColdFusion 4.0.1 Update at http://www.macromedia.com/v1/handlers/index.cfm?ID=10712.
- Macromedia/Allaire Security Bulletin ASB99-01, Expression Evaluator Security Issues at http://www.macromedia.com/v1/handlers/index.cfm?ID=8727.
- Phrack Magazine, Volume 8, Issue 54, Article 08 of 12, NT Web Technology Vulnerabilities at http://www.phrack.com/show.php?p=54&a=8.
- BID-115: Allaire ColdFusion Remote File Display, Deletion, Upload and Execution Vulnerability
- CVE-1999-0455: The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.
- CVE-1999-0477: The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.
- OSVDB ID: 1: ColdFusion exprcalc.cfm OpenFilePath Variable Arbitrary File Disclosure
Reported:
Nov 25, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net