ColdFusion Web publish example script can be used to upload and execute files

coldfusion-webpublish-execute-code (6790) The risk level is classified as HighHigh Risk

Description:

Macromedia ColdFusion is shipped with several sample applications and scripts used for demonstration purposes. These programs and scripts are accessible only through the local host. A vulnerability in the Web publish example script could allow a remote attacker to bypass access restrictions and upload files to the Web server. The attacker could bypass access restrictions by sending an HTTP request with a spoofed Host variable in the HTTP header. An attacker could use this vulnerability to upload and execute malicious files on an affected Web server.

Platforms Affected:

  • Macromedia, ColdFusion 4.5

Remedy:

Macromedia does not intend to release a patch for this vulnerability.

As a workaround, do not install example applications or documentation on production ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps directory. As a rule, sample code and example applications should not be installed on production servers.

— OR —

Upgrade to the latest version of Macromedia ColdFusion (5.0 or later), available from the Macromedia Web site. See References.

Consequences:

Gain Access

References:

  • Internet Security Systems Security Alert #92, Remote Vulnerabilities in Macromedia ColdFusion Example Applications at http://www.iss.net/xforce/alerts/id/advise92.
  • Macromedia Product Security Bulletin MPSB01-08, Best practice recommended to address new security issue in example applications released with ColdFusion Server versions 4.x and earlier. at http://www.macromedia.com/v1/handlers/index.cfm?ID=21700.
  • Macromedia Web site, Macromedia ColdFusion at http://www.macromedia.com/software/coldfusion/downloads/.
  • BID-3154: ColdFusion Sample Application Command Execution Vulnerability
  • CVE-2001-0535: Example applications (Exampleapps) in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the HTTP Host (CGI.Host) variable in (1) the Web Publish example script, and (2) the Email example script.

Reported:

Jul 05, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page