OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: webmasterprocheckup.com
Date: Wed May 29 2002 - 09:21:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Procheckup Ltd
    www.procheckup.com

    Procheckup Security Bulletin PR02-12

    Description: Gafware's CFXImage showtemp program file
    reading vulnerability

    Date: 23/5/2002

    Vulnerable OS: Microsoft Windows.

    Not Vulnerable OS: N/A

    Platform: Microsoft Windows.
    Severity: Anonymous attackers can read any files on the
    server, providing the web service account has rights to
    read the file.
    Authors: Richard Brain [richard.brainprocheckup.com]
    Vendor Status: Vendor has a patched version available.
    http://www.gafware.com
    CVE Candidate: Not assigned
    Reference: www.procheckup.com/security_info/vuln.html

    Description:

    CFXImage is a custom Coldfusion tag for editing and
    creating images. Versions 1.6.6 and prior are vulnerable
    to a directory transversal flaw.

    showtemp.cfm is part of the CFXImage documentation, the
    showtemp.cfm program does not filter its input variables
    allowing directory transversal and reading of files outside
    the webroot.

    Showtemp can be exploited to read the boot.ini file in the
    following manner :-
    http://www.server.com/docs/showtemp.cfm?
    TYPE=JPEG&FILE=c:\boot.ini
    or http://www.server.com/docs/showtemp.cfm?
    TYPE=JPEG&FILE=../../../../../../../../../../../../../../../
    ../../../boot.ini%00

    Platforms Affected:
    Microsoft Windows, Coldfusion and CFXImage program

    Consequences:
    Anonymous attackers can gain information prior to launching
    an attack.

    Fix:

    As policy all sample programs and documentation should be
    removed from production servers.
    Otherwise upgrade to the lastest version of CFXImage, which
    fes this vulnerability.

    References:
    Thanks to Glenn Flansburg for providing a prompt fix.
      
    Legal:

    Copyright 2002 Procheckup Ltd. All rights reserved.

    Permission is granted for copying and circulating this
    Bulletin to the Internet community for the purpose of
    alerting them to problems, if and only if, the Bulletin is
    not edited or changed in any way, is attributed to
    Procheckup, and provided such reproduction and/or
    distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. Procheckup
    is not liable for any misuse of this information by any
    third party.