Adobe ColdFusion "filename" Arbitrary File Disclosure Vulnerability

Last Update Date: 15 May 2013 Release Date: 10 May 2013 4083 Views

RISK: High Risk

High Risk

TYPE: Servers - Internet App Servers

TYPE: Internet App Servers

A vulnerabilities has been identified in Adobe ColdFusion, which can be exploited by an unauthorized user to remotely retrieve files stored on the server.

 

Input passed via the "filename" parameter to administrator/mail/download.cfm in the CFIDE/adminapi section is not properly verified before being used to access files. This can be exploited to disclose the contents of arbitrary files on the server via directory traversal sequences.

 

Successful exploitation requires that access to the CFIDE/administrator, CFIDE/adminapi, and CFIDE/gettingstarted directories is not restricted.

 

Note: A proof of concept exploit code is publicly available.

Impact

  • Remote Code Execution
  • Information Disclosure

System / Technologies affected

  • ColdFusion 10, 9.0.2, 9.0.1 and 9.0

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • [Updated 15 May 2013] Apply hotfix APSB13-13.

Vulnerability Identifier

Source

Related Link

Share with

Previous

Cisco Unified Customer Voice Portal Multiple Vulnerabilities

9 May 2013 3949 Views

Next

Microsoft Internet Explorer Unspecified Use-After-Free Vulnerability

6 May 2013 4846 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY