[25599] in bugtraq
Gafware's CFXImage vulnerability
daemon@ATHENA.MIT.EDU (webmaster@procheckup.com)
Wed May 29 17:08:54 2002
Date: 29 May 2002 14:21:32 -0000
Message-ID: <20020529142132.5852.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <webmaster@procheckup.com>
To: bugtraq@securityfocus.com
Procheckup Ltd
www.procheckup.com
Procheckup Security Bulletin PR02-12
Description: Gafware's CFXImage showtemp program file
reading vulnerability
Date: 23/5/2002
Vulnerable OS: Microsoft Windows.
Not Vulnerable OS: N/A
Platform: Microsoft Windows.
Severity: Anonymous attackers can read any files on the
server, providing the web service account has rights to
read the file.
Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status: Vendor has a patched version available.
HTTP://www.gafware.com
CVE Candidate: Not assigned
Reference: www.procheckup.com/security_info/vuln.html
Description:
CFXImage is a custom Coldfusion tag for editing and
creating images. Versions 1.6.6 and prior are vulnerable
to a directory transversal flaw.
showtemp.cfm is part of the CFXImage documentation, the
showtemp.cfm program does not filter its input variables
allowing directory transversal and reading of files outside
the webroot.
Showtemp can be exploited to read the boot.ini file in the
following manner :-
http://www.server.com/docs/showtemp.cfm?
TYPE=JPEG&FILE=c:\boot.ini
or http://www.server.com/docs/showtemp.cfm?
TYPE=JPEG&FILE=../../../../../../../../../../../../../../../
../../../boot.ini%00
Platforms Affected:
Microsoft Windows, Coldfusion and CFXImage program
Consequences:
Anonymous attackers can gain information prior to launching
an attack.
Fix:
As policy all sample programs and documentation should be
removed from production servers.
Otherwise upgrade to the lastest version of CFXImage, which
fixes this vulnerability.
References:
Thanks to Glenn Flansburg for providing a prompt fix.
Legal:
Copyright 2002 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this
Bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to
Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup
is not liable for any misuse of this information by any
third party.
