Procheckup Ltd www.procheckup.com Procheckup Security Bulletin PR02-12 Description: Gafware's CFXImage showtemp program file reading vulnerability Date: 23/5/2002 Vulnerable OS: Microsoft Windows. Not Vulnerable OS: N/A Platform: Microsoft Windows. Severity: Anonymous attackers can read any files on the server, providing the web service account has rights to read the file. Authors: Richard Brain [richard.brain@procheckup.com] Vendor Status: Vendor has a patched version available. HTTP://www.gafware.com CVE Candidate: Not assigned Reference: www.procheckup.com/security_info/vuln.html Description: CFXImage is a custom Coldfusion tag for editing and creating images. Versions 1.6.6 and prior are vulnerable to a directory transversal flaw. showtemp.cfm is part of the CFXImage documentation, the showtemp.cfm program does not filter its input variables allowing directory transversal and reading of files outside the webroot. Showtemp can be exploited to read the boot.ini file in the following manner :- http://www.server.com/docs/showtemp.cfm? TYPE=JPEG&FILE=c:\boot.ini or http://www.server.com/docs/showtemp.cfm? TYPE=JPEG&FILE=../../../../../../../../../../../../../../../ ../../../boot.ini%00 Platforms Affected: Microsoft Windows, Coldfusion and CFXImage program Consequences: Anonymous attackers can gain information prior to launching an attack. Fix: As policy all sample programs and documentation should be removed from production servers. Otherwise upgrade to the lastest version of CFXImage, which fixes this vulnerability. References: Thanks to Glenn Flansburg for providing a prompt fix. Legal: Copyright 2002 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
