Summary
This host is running Adobe ColdFusion and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attackers to disclose the contents of arbitrary files on the system and execute arbitrary code.
Impact Level: System/Application
Solution
Apply the patch from below link,
http://www.adobe.com/support/security/bulletins/apsb13-03.html
Insight
Multiple flaws are due to,
- The CFIDE/componentutils/cfcexplorer.cfc script not properly sanitizing user input, specifically directory traversal attacks supplied via the 'path' parameter when 'method' is set to: 'getcfcinhtml' and 'name' is set to 'CFIDE.adminapi.administrator'.
- The 'ScheduledURL' variable allows specifying an arbitrary resource to save to system as specified by the 'publish_file' variable and then schedule this task to be executed at a set time.
Affected
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10
Detection
Get the installed version of Adobe ColdFusion with the help of detect NVT and check the version is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2013-0625, CVE-2013-0629 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache ActiveMQ Source Code Information Disclosure Vulnerability
- Apache Open For Business HTML injection vulnerability
- AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
- @Mail WebMail Email Body HTML Injection Vulnerability
- Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability