Adobe has released an additional security advisory and software updates to address the ColdFusion download.cfm arbitrary file retrieval vulnerability.
A vulnerability in Adobe ColdFusion could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system.
The vulnerability is due to improper handling of directory traversal characters by the download.cfm script. An attacker could exploit the vulnerability by sending requests to the targeted script, causing the script to return a targeted file to the attacker and resulting in information disclosure.
Adobe has confirmed this vulnerability and software updates are available.
Adobe ColdFusion versions 9 and 10 are affected.
Exploit code is available publicly that allows exploitation of the vulnerability and attacks using the exploit are being reported in the wild.
Successful exploitation may allow the attacker to retrieve password files that contain hashed passwords. Attackers may be able to use the password hashes to gain unauthorized access to targeted systems with administrative access.
An unauthenticated, remote attacker could exploit this vulnerability to download arbitrary files from a targeted system, resulting in information disclosure. An attacker could access credential files that could allow the attacker to mount further attacks against the system.
The vulnerability is due to improper handling of directory traversal characters by the download.cfm script. The script fails to check the path of parameters that may use directory traversal characters to access files outside allowed directories.
An unauthenticated, remote attacker could exploit the vulnerability by sending requests to the vulnerable script. The processing of the request could return a file in a specified path to the attacker, resulting in information disclosure.
Administrators are advised to apply the appropriate updates.
Administrators may consider disabling or restricting access to the affected script in the vulnerable application.
Administrators are advised to monitor affected systems.
Adobe users are advised to update their installations of ColdFusion using the instructions in the technote at the following link: ColdFusion Hotfix
Version 2, May 9, 2013, 3:26 PM: Adobe has released a security advisory to address the ColdFusion download.cfm arbitrary file retrieval vulnerability.
Version 1, May 8, 2013, 4:42 PM: Adobe ColdFusion contains a vulnerability that could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system. Updates are not available.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.