Cold Fusion Expression Evaluator Vulnerability
Impact
A vulnerability in the Cold Fusion Expression Evaluator utility
could allow an attacker to view and delete any file on the system, and
to upload files anywhere on the server. The ability to upload
executable files makes this vulnerability even more critical.
Background
The Cold Fusion Application Server includes online documentation
and sample code by default. Included in the sample code is the
Expression Evaluator utility, which allows a developer to experiment
with Cold Fusion expressions by uploading expressions from a
local PC and having the Expression Evaluator evaluate them.
The Problem
The file /cfdocs/expeval/exprcalc.cfm, part of
the Expression Evaluator utility, is intended to display the
file uploaded by the user, and then delete it. However, it can
easily be used to display and delete any file on the system.
Furthermore, it can even be used to delete itself, so that
subsequently uploaded files will not be deleted by the
Expression Evaluator, and will remain on the server.
Cold Fusion Application Server versions 2.0, 3.0, 3.1, and
4.0 have this vulnerability.
Resolutions
In general, online documentation and sample utilities should
not be kept on operational web servers. To disable the Expression
Evaluator, delete the /cfdocs/expeval
directory.
If the Expression Evaluator is needed, then either secure
the /cfdocs/expeval directory so that it is
only accessible by users who require it, or install the
patch described in
Allaire Security Bulletin 99-01.
Where can I read more about this?
More information about the Expression Evaluator vulnerability
can be found in the
L0pht Security Advisory and in
Allaire Security Bulletin 99-01.