Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Gafware's CFXImage vulnerability

From: <webmaster () procheckup com>
Date: 29 May 2002 14:21:32 -0000


Procheckup Ltd
www.procheckup.com    

Procheckup Security Bulletin PR02-12

Description: Gafware's CFXImage showtemp program file 
reading vulnerability

Date: 23/5/2002

Vulnerable OS: Microsoft Windows.

Not Vulnerable OS: N/A

Platform: Microsoft Windows.
Severity: Anonymous attackers can read any files on the 
server, providing the web service account has rights to 
read the file.
Authors: Richard Brain [richard.brain () procheckup com]
Vendor Status: Vendor has a patched version available.  
HTTP://www.gafware.com
CVE Candidate: Not assigned
Reference: www.procheckup.com/security_info/vuln.html

Description: 

CFXImage is a custom Coldfusion tag for editing and 
creating images.  Versions 1.6.6 and prior are vulnerable 
to a directory transversal flaw.

showtemp.cfm is part of the CFXImage documentation, the 
showtemp.cfm program does not filter its input variables 
allowing directory transversal and reading of files outside 
the webroot.

Showtemp can be exploited to read the boot.ini file in the 
following manner :-
http://www.server.com/docs/showtemp.cfm?
TYPE=JPEG&FILE=c:\boot.ini 
or http://www.server.com/docs/showtemp.cfm?
TYPE=JPEG&FILE=../../../../../../../../../../../../../../../
../../../boot.ini%00  

Platforms Affected: 
Microsoft Windows, Coldfusion and CFXImage program

Consequences: 
Anonymous attackers can gain information prior to launching 
an attack.

Fix:

As policy all sample programs and documentation should be 
removed from production servers. 
Otherwise upgrade to the lastest version of CFXImage, which 
fixes this vulnerability.

References: 
Thanks to Glenn Flansburg for providing a prompt fix.
  
Legal:

Copyright 2002 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this 
Bulletin to the Internet community for the purpose of 
alerting them to problems, if and only if, the Bulletin is 
not edited or changed in any way, is attributed to 
Procheckup, and provided such reproduction and/or 
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup 
is not liable for any misuse of this information by any 
third party.
Previous By Date Next
Previous By Thread Next

Current thread: