Summary | |
ColdFusion is "a programming language based on standard HTML that is used to write dynamic webpages. When a page in a ColdFusion application is requested by a browser, it is automatically pre-processed by the ColdFusion Application Server". | |
Details | |
Vulnerable Systems: * ColdFusion MX version 6.1 on IIS By supplying a filename of a file not 'associated' with the ColdFusion plugin and appending ;.cfm or any other extension that is associated with ColdFusion, it may be possible to view to contents of the files that otherwise would be protected by IIS's access restrictions. Impact: This vulnerability may expose sensitive files stored under the webroot, bypassing access restrictions set in the IIS management system. In order for the file to be read, it must be accessible to the user ColdFusion is executing as. This vulnerability still requires knowledge of the existence of a file of interest. It does not expose the directory listing. Workaround: Change the mapping rules for ColdFusion handled files to refer to specific files instead of the default *.cfm, *.jsp, etc. It is also possible to mitigate against exploitation by not storing sensitive information within the webroot of any server. Storing the information outside of the webroot may require changes to applications. Vendor response: MPSB04-09 - Cumulative Security Patch available for ColdFusion MX: _zone/mpsb04-09.html">http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html CVE Information: CAN-2004-0928 Disclosure timeline: 07/08/2004 Initial vendor notification 07/08/2004 iDEFENSE clients notified 07/09/2004 Initial vendor response 10/05/2004 Public disclosure | |
Additional information | |
The information has been provided by iDEFENSE. The original article can be found at: http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities |
延伸阅读
文章来源于领测软件测试网 https://www.ltesting.net/
关于领测软件测试网 | 领测软件测试网合作伙伴 | 广告服务 | 投稿指南 | 联系我们 | 网站地图 | 友情链接
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备2023014753号-2
技术支持和业务联系:info@testage.com.cn 电话:010-51297073
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备2023014753号-2
技术支持和业务联系:info@testage.com.cn 电话:010-51297073