Allaire ColdFusion Remote File...

- AV AC AU C I A
发布: 1998-12-25
修订: 2025-04-13

A security vulnerability allows remote web users to delete and display any file in the system, as well as possibly allow the upload and execution of ColdFusion files. A default installation of Cold Fusion Server includes sample code and documentation that is available to web browsing users. One of these sample applications, the expression evaluator, allows users to experiment with ColdFusion expressions. It gives you the option to upload a file, which it will the process and display and subsequently delete. Normally access to the application is restricted to the local machine. However, some pages in the application can be acessed directly. By passing it a handcrafted URL you can order it to display and delete any file on the system. The expression calculator is composed of several files. openfile.cfm and openedfile.cfm allows you to upload a file to the sever. exprcalc.cfm processes the uploaded file, displays it and then deletes it. By using exprcacl.cfm to delete itself we can...

100%
当前有1条漏洞利用/PoC
当前有0条受影响产品信息