A security vulnerability allows remote web users to delete and display any file in the system, as well as possibly allow the upload and execution of ColdFusion files. A default installation of Cold Fusion Server includes sample code and documentation that is available to web browsing users. One of these sample applications, the expression evaluator, allows users to experiment with ColdFusion expressions. It gives you the option to upload a file, which it will the process and display and subsequently delete. Normally access to the application is restricted to the local machine. However, some pages in the application can be acessed directly. By passing it a handcrafted URL you can order it to display and delete any file on the system. The expression calculator is composed of several files. openfile.cfm and openedfile.cfm allows you to upload a file to the sever. exprcalc.cfm processes the uploaded file, displays it and then deletes it. By using exprcacl.cfm to delete itself we can...
A security vulnerability allows remote web users to delete and display any file in the system, as well as possibly allow the upload and execution of ColdFusion files. A default installation of Cold Fusion Server includes sample code and documentation that is available to web browsing users. One of these sample applications, the expression evaluator, allows users to experiment with ColdFusion expressions. It gives you the option to upload a file, which it will the process and display and subsequently delete. Normally access to the application is restricted to the local machine. However, some pages in the application can be acessed directly. By passing it a handcrafted URL you can order it to display and delete any file on the system. The expression calculator is composed of several files. openfile.cfm and openedfile.cfm allows you to upload a file to the sever. exprcalc.cfm processes the uploaded file, displays it and then deletes it. By using exprcacl.cfm to delete itself we can upload a file to the server that will not be deleted which we can then try to execute.