[NT] ColdFusion MX 6.1 on IIS File Contents Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 10/06/04

  • Next message: SecuriTeam: "[EXPL] JpegOfDeath - an Advanced JPEG (GDI+) Exploit" 
    To: list@securiteam.com
Date: 6 Oct 2004 10:16:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ColdFusion MX 6.1 on IIS File Contents Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    ColdFusion is "a programming language based on standard HTML that is used
    to write dynamic webpages. When a page in a ColdFusion application is
    requested by a browser, it is automatically pre-processed by the
    ColdFusion Application Server".

    Remote exploitation of and input validation error in ColdFusion MX 6.1 on
    IIS allows the disclosure of file contents.

    DETAILS

    Vulnerable Systems:
     * ColdFusion MX version 6.1 on IIS

    By supplying a filename of a file not 'associated' with the ColdFusion
    plugin and appending ;.cfm or any other extension that is associated with
    ColdFusion, it may be possible to view to contents of the files that
    otherwise would be protected by IIS's access restrictions.

    Impact:
    This vulnerability may expose sensitive files stored under the webroot,
    bypassing access restrictions set in the IIS management system. In order
    for the file to be read, it must be accessible to the user ColdFusion is
    executing as. This vulnerability still requires knowledge of the existence
    of a file of interest. It does not expose the directory listing.

    Workaround:
    Change the mapping rules for ColdFusion handled files to refer to specific
    files instead of the default *.cfm, *.jsp, etc. It is also
    possible to mitigate against exploitation by not storing sensitive
    information within the webroot of any server. Storing the information
    outside of the webroot may require changes to applications.

    Vendor response:
    MPSB04-09 - Cumulative Security Patch available for ColdFusion MX:
    <http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html>
    http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0928>
    CAN-2004-0928

    Disclosure timeline:
    07/08/2004 Initial vendor notification
    07/08/2004 iDEFENSE clients notified
    07/09/2004 Initial vendor response
    10/05/2004 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] JpegOfDeath - an Advanced JPEG (GDI+) Exploit"

    Relevant Pages