ColdFusion sourcewindow.cfm View Arbitrary File

1999-02-04T00:00:00
ID OSVDB:3239
Type osvdb
Reporter OSVDB
Modified 1999-02-04T00:00:00

Description

Vulnerability Description

ColdFusion contains a flaw that allows a remote attacker to read any file on the system. The flaw is due to poor sanity checking on arguments passed to the sourcewindow.cfm script, which is installed by default.

Solution Description

Users of ColdFusion 4.0 should upgrade or patch to version 4.0.1 or higher, as it has been reported to fix this vulnerability. Users of ColdFusion 2.x or 3.x should remove all sample applications, as the 4.0.1 patch does not apply to your installations.

Short Description

ColdFusion contains a flaw that allows a remote attacker to read any file on the system. The flaw is due to poor sanity checking on arguments passed to the sourcewindow.cfm script, which is installed by default.

References:

Other Advisory URL: http://www.macromedia.com/devnet/security/security_zone/asb99-02.html ISS X-Force ID: 1744 CVE-1999-0923 CVE-1999-0922