ColdFusion email example script can be used to view arbitrary files
| coldfusion-email-view-files (6791) |  Medium Risk |
Description:
Macromedia ColdFusion version 4.5 ships with several sample programs and scripts used for demonstration purposes. These programs and scripts are accessible only through the local host. A vulnerability in the email example script could allow a remote attacker to bypass access restrictions and view arbitrary files on the server. The attacker could bypass access restrictions by sending an HTTP request with a spoofed Host variable in the HTTP header. Once a successful login has occurred, the attacker can send a specially-crafted URL to view any file on the Web server.
Consequences:
File Manipulation
Remedy:
Macromedia does not intend to release a patch for this vulnerability.
As a workaround, do not install example applications or documentation on production ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps directory. As a rule, sample code and example applications should not be installed on production servers.
— OR —
Upgrade to the latest version of Macromedia ColdFusion (5.0 or later), available from the Macromedia Web site. See References.
References:
- Internet Security Systems Security Alert #92: Remote Vulnerabilities in Macromedia ColdFusion Example Applications.
- Macromedia Product Security Bulletin MPSB01-08: Best practice recommended to address new security issue in example applications released with ColdFusion Server versions 4.x and earlier..
- Macromedia Web site: Macromedia ColdFusion.
- BID-3154: ColdFusion Sample Application Command Execution Vulnerability
- CVE-2001-0535: Example applications (Exampleapps) in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the HTTP Host (CGI.Host) variable in (1) the Web Publish example script, and (2) the Email example script.
Platforms Affected:
- Macromedia ColdFusion 4.5
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows XP
Reported:
Jul 05, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net