[NT] Gafware's CFXImage Showtemp Program File Reading Vulnerability
From: support@securiteam.comDate: 05/29/02
- Previous message: support@securiteam.com: "[NT] Malformed Mail Attribute Causes Exchange 2000 to Exhaust CPU Resources"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 29 May 2002 23:44:17 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Gafware's CFXImage Showtemp Program File Reading Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.gafware.com> CFXImage is a custom ColdFusion tag for editing
and creating images. A security vulnerability in the product allows
attackers to view the content of files residing outside the normally
bounding HTML root directory.
DETAILS
Vulnerable systems:
CFXImage versions 1.6.6 and prior
Showtemp.cfm is part of the CFXImage documentation, the showtemp.cfm
program does not filter its input variables allowing directory transversal
and reading of files outside the web root.
Exploit:
Showtemp can be exploited to read the boot.ini file in the following
manner :
http://www.server.com/docs/showtemp.cfm?TYPE=JPEG&FILE=c:\boot.ini
Or
http://www.server.com/docs/showtemp.cfm?TYPE=JPEG&FILE=../../../../../../../../../..boot.ini%00
Severity:
Anonymous attackers can read any files on the server, if the web service's
account has the appropriate rights to read the file.
Vendor Status:
Vendor has a patched version available.
Fix:
As policy, all sample programs and documentation should be removed from
production servers. Otherwise, upgrade to the latest version of CFXImage,
which fixes this vulnerability.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:richard.brain@procheckup.com> Richard Brain.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Malformed Mail Attribute Causes Exchange 2000 to Exhaust CPU Resources"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Sensitive Information Disclosure Vulnerability Found in SIPS (PHP)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability
in the product allows attackers to get access to ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [UNIX] Multiple Vulnerabilities Found in PVote
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PVote is a PHP voting system.
... Delete vulnerability: ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [NT] Dynu FTP Server Directory Traversal Vulnerability
... Dynu FTP Server Directory Traversal Vulnerability ... The following security
advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
... In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [NEWS] Hushmail.com Accounts Vulnerable to Script Attack
... Hushmail.com Accounts Vulnerable to Script Attack ... The following security
advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
... The vulnerability has been fixed on 13 September 2001 ... In no event shall
we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam) - [EXPL] Multiple pwck/grpck Privilege Elevation Vulnerabilities (Exploit code)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in the program
allows attackers to execute of arbitrary code ... int main{ ... In no event shall
we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam)
