OSVDB ID: 1

Title: ColdFusion Application Server exprcalc.cfm OpenFilePath Variable Arbitrary File Disclosure

Info

Disclosure

Dec 25, 1998

Discovery

Unknown

Dates

Exploit

Dec 25, 1998

Solution

Unknown

Description

ColdFusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker specifies the OpenFilePath variable in the Expression Evaluator. This allows an attacker to view the contents of arbitrary files on the server and may result in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 4.0.1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by removing all sample code and documentation from the server.

Products

Macromedia, Inc.	ColdFusion	2.0
		3.0
		3.1
		4.0

References

Bugtraq ID: 115
ISS X-Force ID: 1740
CVE ID: 1999-0455 (see also: NVD)
Related OSVDB ID: 50620
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999_2/0216.html
Vendor Specific Advisory URL: http://www.macromedia.com/devnet/security/security_zone/asb99-01.html
Generic Exploit URL: http://www.phrack.org/phrack/54/P54-08

Credit

RFP - rfpwiretrip.net - RFP Labs

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Macromedia, Inc.

ColdFusion

References

Credit