Secunia - Stay Secure
Home Corporate Website Jobs Updated Mailing Lists RSS Blog  Online Shop Advertise
Software Inspectors
  Scan Online
  Personal (PSI)
  Network (NSI 2.0)

Solutions For
  Security Professionals
  Security Vendors

Free Solutions For
  Open Communities
  Journalists & Media

Secunia Advisories
  Search
  Historic Advisories
  Listed By Product
  Listed By Vendor
  Statistics / Graphs
  Secunia Research
  Report Vulnerability
  About Advisories

Virus Information
  Chronological List
  Last 10 Virus Alerts
  About Virus Information

Secunia Customers
  Customer Area


Adobe ColdFusion MX Freigabe von Datei-Inhalten Advisory Available in English  Advisory Available in Danish 

Secunia Advisory: SA23668  
Herausgegeben: 2007-01-10

Gefahrenstufe:
Mittelgradig kritisch
Auswirkung: Enthüllung von sensiblen Informationen
Von Wo: Aus dem Internet
Lösungsstatus: Hersteller-Patch

Software:Adobe ColdFusion MX 7.x

CVE reference:CVE-2006-5858 (Secunia mirror)
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Beschreibung:
Inge Henriksen hat eine Sicherheitslücke in Adobe ColdFusion MX gemeldet, die böswillige Personen ausnutzen können, um potenziell sensible Informationen zu enthüllen.

Die Sicherheitslücke besteht in einem Fehler in der Überprüfung von Eingaben bei der Verarbeitung von URL-encodierten Dateinamen. Diese kann ausgenutzt werden, um durch eine speziell präparierte URL mit doppelt-encodiertem Null-Byte und einer Dateiendung, die von ColdFusion verarbeitet wird (z.B. ".cfm") beliebige Dateien innerhalb des Web-Root zu betrachten.

Die Sicherheitslücke wurde in Version 7.0.2 auf Windows IIS gemeldet. Andere Versionen können ebenfalls betroffen sein.

Lösung:
Verwenden Sie den Hotfix (beachten Sie das Advisory des Herstellers für Details).

Gemeldet und/oder entdeckt von:
Entdeckt durch Inge Henriksen und gemeldet via iDefense Labs.

Original Advisory:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb07-02.html

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=466


Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

7 Related Secunia Security Advisories

1. Adobe ColdFusion Mehrere Sicherheitslücken
2. Adobe ColdFusion Session-Hijacking-Sicherheitslücke
3. Adobe ColdFusion MX unsichere Ordner- und Dateizugriffsrechte
4. Adobe JRun IIS 6 Connector Denial of Service
5. Adobe ColdFusion MX Cross-Site-Scripting-Sicherheitslücken
6. Adobe JRun Administrator-Konsole Cross-Site-Scripting
7. Adobe ColdFusion MX Umgehung des Cross-Site-Scripting-Schutzes

Show all related advisories


Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.








Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Do you think it's important to read Setup/User Guides for applications for use within your network?


See Results   


Most Popular Advisories

1.
OpenOffice "rtl_allocateMe mory()" Truncation Vulnerability
2.
JustSystems Ichitaro Products Unspecified Code Execution Vulnerability
3.
Red Hat update for tomcat
4.
Ampache "gather-message s.sh" Insecure Temporary Files
5.
Tiger "genmsgidx" Insecure Temporary Files
6.
R "javareconf" Insecure Temporary Files
7.
HP-UX update for Apache
8.
Honeyd "test.sh" Insecure Temporary Files
9.
Red Hat update for openoffice.org
10.
Citadel "migrate_aliase s.sh" Insecure Temporary Files





Vulnerability Management - Terms & Conditions - Copyright 2002-2008 Secunia - Compliance - Contact Secunia