Inge Henriksen has reported a vulnerability in Adobe ColdFusion MX, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an input validation error when processing URL-encoded file names. This can be exploited to view arbitrary files on the web root via a specially crafted URL with a doubly-encoded NULL byte and an extension that is handled by ColdFusion e.g. ".cfm".
The vulnerability is reported in version 7.0.2 running on Windows IIS. Other versions may also be affected.
Solution: Apply hotfix (See vendor's advisory for details).
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org