ColdFusion Server Web Publish Example Script Access Restriction Bypass
2001-08-07T00:00:00
ID OSVDB:10505 Type osvdb Reporter Mark Dowd(mdowd@iss.net) Modified 2001-08-07T00:00:00
Description
Vulnerability Description
The 'Web Publish' example script in ColdFusion Server contains a flaw that may allow a remote attacker to bypass access restrictions. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to upload and execute malicious files resulting in a loss of integrity.
Solution Description
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the CFDOCS directory.
Short Description
The 'Web Publish' example script in ColdFusion Server contains a flaw that may allow a remote attacker to bypass access restrictions. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to upload and execute malicious files resulting in a loss of integrity.
{"type": "osvdb", "published": "2001-08-07T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10505", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 2, "edition": 1, "reporter": "Mark Dowd(mdowd@iss.net)", "title": "ColdFusion Server Web Publish Example Script Access Restriction Bypass", "affectedSoftware": [{"operator": "eq", "version": "3.x", "name": "ColdFusion Server for Windows"}, {"operator": "eq", "version": "4.x", "name": "ColdFusion Server for Solaris"}, {"operator": "eq", "version": "4.x", "name": "ColdFusion Server for Windows"}, {"operator": "eq", "version": "2.x", "name": "ColdFusion Server for Windows"}, {"operator": "eq", "version": "4.5.x", "name": "ColdFusion Server for Linux"}, {"operator": "eq", "version": "4.x", "name": "ColdFusion Server for HP-UX"}], "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-04-28T13:20:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2001-0535"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:1908"]}, {"type": "osvdb", "idList": ["OSVDB:10592"]}], "modified": "2017-04-28T13:20:05", "rev": 2}, "vulnersScore": 7.0}, "references": [], "id": "OSVDB:10505", "lastseen": "2017-04-28T13:20:05", "cvelist": ["CVE-2001-0535"], "modified": "2001-08-07T00:00:00", "description": "## Vulnerability Description\nThe 'Web Publish' example script in ColdFusion Server contains a flaw that may allow a remote attacker to bypass access restrictions. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to upload and execute malicious files resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the CFDOCS directory.\n## Short Description\nThe 'Web Publish' example script in ColdFusion Server contains a flaw that may allow a remote attacker to bypass access restrictions. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to upload and execute malicious files resulting in a loss of integrity.\n## References:\nVendor URL: http://www.macromedia.com/\n[Vendor Specific Advisory URL](http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html)\nSecurity Tracker: 1002158\n[Related OSVDB ID: 10592](https://vulners.com/osvdb/OSVDB:10592)\nOther Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise92\nISS X-Force ID: 6790\n[CVE-2001-0535](https://vulners.com/cve/CVE-2001-0535)\nBugtraq ID: 3154\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:19:04", "description": "Example applications (Exampleapps) in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the \"HTTP Host\" (CGI.Host) variable in (1) the \"Web Publish\" example script, and (2) the \"Email\" example script.", "edition": 4, "cvss3": {}, "published": "2001-10-30T05:00:00", "title": "CVE-2001-0535", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0535"], "modified": "2008-09-05T20:24:00", "cpe": ["cpe:/a:macromedia:coldfusion_server:4.x"], "id": "CVE-2001-0535", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0535", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:macromedia:coldfusion_server:4.x:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2001-0535"], "edition": 1, "description": "## Vulnerability Description\nThe 'email' example script in ColdFusion Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to view arbitrary files resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the CFDOCS directory.\n## Short Description\nThe 'email' example script in ColdFusion Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a HTTP request with a spoofed Host variable in the HTTP header. It is possible that the flaw may allow a remote attacker to view arbitrary files resulting in a loss of confidentiality.\n## References:\nVendor URL: http://www.macromedia.com/\n[Vendor Specific Advisory URL](http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html)\nSecurity Tracker: 1002158\n[Related OSVDB ID: 10505](https://vulners.com/osvdb/OSVDB:10505)\nOther Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise92\nISS X-Force ID: 6791\n[CVE-2001-0535](https://vulners.com/cve/CVE-2001-0535)\nBugtraq ID: 3154\n", "modified": "2001-08-07T00:00:00", "published": "2001-08-07T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10592", "id": "OSVDB:10592", "type": "osvdb", "title": "ColdFusion Server Email Example Script Information Disclosure", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "cvelist": ["CVE-2001-0535"], "description": "\r\nTO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to\r\nmajordomo@iss.net Contact alert-owner@iss.net for help with any problems!\r\n---------------------------------------------------------------------------\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nInternet Security Systems Security Advisory\r\nAugust 7, 2001\r\n\r\nRemote Vulnerabilities in Macromedia ColdFusion Example Applications\r\n\r\nSynopsis:\r\n\r\nInternet Security Systems (ISS) X-Force has discovered multiple remote\r\nvulnerabilities in Macromedia ColdFusion. ColdFusion is an enterprise\r\napplication used to develop, maintain, administer, and deliver Web sites\r\non the Internet. The vulnerabilities may allow remote attackers to\r\nexecute arbitrary commands as a privileged user on a vulnerable\r\nColdFusion installation.\r\n\r\nAffected Products and Releases:\r\n\r\nColdFusion Server for Windows 4.x\r\nColdFusion Server for Solaris 4.x\r\nColdFusion Server for HP-UX 4.x\r\nColdFusion Server for Linux 4.x\r\n\r\nColdFusion Server 5.0 is not vulnerable\r\n\r\nDescription:\r\n\r\nMacromedia ColdFusion ships with several small "helper" applications\r\nthat are meant to educate users on a small subset of ColdFusion\u2019s\r\nfeatures. These applications are not installed by default, and\r\nMacromedia has documented and continues to recommend that production\r\nColdFusion servers should not have the example applications installed.\r\n\r\nColdFusion ships with two vulnerable "Exampleapps". These applications\r\nmay be queried via a normal Web browser. Both of these example\r\napplications employ a rudimentary security mechanism to attempt to block\r\nall access except from the ColdFusion server itself. It is possible for\r\nremote attackers to spoof the source of the query and bypass this\r\nrestriction.\r\n\r\nBoth vulnerable scripts behave like CGI (Common Gateway Interface)\r\napplications. It is possible for the attacker to interact with the\r\nexample applications to create files, view files, or execute commands\r\non the vulnerable target.\r\n\r\nRecommendations:\r\n\r\nMacromedia will not release a patch to address the vulnerabilities\r\ndescribed in this advisory. Macromedia recommends that customers do not\r\ninstall example applications or documentation on production ColdFusion\r\nservers. Example applications are stored in the /CFDOCS/exampleapps\r\ndirectory. \r\n\r\nMacromedia recommends that the entire /CFDOCS directory tree be removed\r\nfrom production servers and only installed on development installations\r\nthat that are not exposed to potentially hostile networks.\r\n\r\nAll ColdFusion customers should familiarize themselves with the\r\nColdFusion "Best Security Practices" document available at the following\r\naddress:\r\n \r\nhttp://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full\r\n\r\nAdditional Information:\r\n\r\nAllaire/Macromedia Security Zone:\r\n\r\nhttp://www.allaire.com/security\r\n\r\nMacromedia Security Bulletin, "ColdFusion Example Applications\r\nPotentially Expose Server":\r\n\r\nhttp://www.allaire.com/developer/securityzone/securitybulletins.cfm\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nName CAN-2001-0535 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nISS Consulting can offer security assessments and penetration testing\r\nfor your organization. ISS Managed Security Services can also provide\r\nautomated scanning and 24x7 IDS monitoring for these security issues.\r\nISS SecureU offers educational courses on ISS products and detailed\r\nethical hacking classes on these and other security issues.\r\n\r\nCredits:\r\n\r\nThis vulnerability was discovered and researched by Mark Dowd of ISS\r\nX-Force. ISS would like to thank Macromedia for their response and\r\nhandling of this vulnerability.\r\n\r\n______\r\n\r\nAbout Internet Security Systems (ISS)\r\nInternet Security Systems is a leading global provider of security\r\nmanagement solutions for the Internet, protecting digital assets and\r\nensuring safe and uninterrupted e-business. With its industry-leading\r\nintrusion detection and vulnerability assessment, remote managed\r\nsecurity services, and strategic consulting and education offerings, ISS\r\nis a trusted security provider to more than 8,000 customers worldwide\r\nincluding 21 of the 25 largest U.S. commercial banks and the top 10 U.S.\r\ntelecommunications companies. Founded in 1994, ISS is headquartered in\r\nAtlanta, GA, with additional offices throughout North America and\r\ninternational operations in Asia, Australia, Europe, Latin America and\r\nthe Middle East. For more information, visit the Internet Security\r\nSystems web site at www.iss.net or call 888-901-7477.\r\n\r\nCopyright (c) 2001 Internet Security Systems, Inc.\r\n\r\nPermission is hereby granted for the redistribution of this Alert\r\nelectronically. It is not to be edited in any way without express\r\nconsent of the X-Force. If you wish to reprint the whole or any part\r\nof this Alert in any other medium excluding electronic medium, please\r\ne-mail xforce@iss.net for permission.\r\n\r\nDisclaimer\r\n\r\nThe information within this paper may change without notice. Use of\r\nthis information constitutes acceptance for use in an AS IS condition.\r\nThere are NO warranties with regard to this information. In no event\r\nshall the author be liable for any damages whatsoever arising out of or\r\nin connection with the use or spread of this information. Any use of\r\nthis information is at the user's own risk.\r\n\r\nX-Force PGP Key available at: http://xforce.iss.net/sensitive.php\r\nas well as on MIT's PGP key server and PGP.com's key server.\r\n\r\nPlease send suggestions, updates, and comments to: X-Force\r\nxforce@iss.net of Internet Security Systems, Inc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.3a\r\nCharset: noconv\r\n\r\niQCVAwUBO3ACjTRfJiV99eG9AQHFIAP/V6GGQ/z7Pehi+tUGOqpBOoNvO28h2cDP\r\nx9eDv5eG/1ZeDoyLK47d27NylhwGCh9IgcJK7N2iW5h20LESf7aqpNfN+YS7L1VU\r\nhcAxt9XORSWSF3yg4i0uTF6jcKtTE7nBKdwn/IvDK/+3NBUPMQ8Llkr8JBLhA1Dy\r\nsAL0wuWklYQ=\r\n=p+G6\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2001-08-12T00:00:00", "published": "2001-08-12T00:00:00", "id": "SECURITYVULNS:DOC:1908", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1908", "title": "ISSalert: ISS Advisory: Remote Vulnerabilities in Macromedia ColdFusion Example Applications", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
