Allaire ClusterCATS URL Redirect Vulnerability

BID:1179

Info

Allaire ClusterCATS URL Redirect Vulnerability

Bugtraq ID: 1179
Class: Design Error
CVE:
Remote: Yes
Local: Yes
Published: May 08 2000 12:00AM
Updated: May 08 2000 12:00AM
Credit: Publicized by Allaire in an Allaire Security Bulletin (ASB00-12) on May 8, 2000.
Vulnerable: Allaire ClusterCATS 1.0
+ Allaire ColdFusion Server 4.5.1
+ Allaire ColdFusion Server 4.5
+ Allaire ColdFusion Server 4.0.1
+ Allaire ColdFusion Server 4.0
+ Allaire ColdFusion Server 3.1.2
+ Allaire ColdFusion Server 3.1.1
+ Allaire ColdFusion Server 3.1
+ Allaire ColdFusion Server 3.0.1
+ Allaire ColdFusion Server 3.0
+ Allaire ColdFusion Server 2.0
Not Vulnerable:

Discussion

Allaire ClusterCATS URL Redirect Vulnerability

While performing a URL redirect, Allaire ClusterCATS may append stale information to the URL which can contain sensitive information.

Exploit / POC

Allaire ClusterCATS URL Redirect Vulnerability

see discussion

Solution / Fix

Allaire ClusterCATS URL Redirect Vulnerability

Solution:
Allaire has released a patch which rectifies this issue. Follow these steps to apply the patch:

1.Stop the Bright Tiger service on each server through control panel - services.
2.Go to the cfusion\brighttiger\program directory and rename teserver.dll to teserver.old
3.Copy the new teserver.dll file into the brighttiger\program directory on each server.
4.Start the Bright Tiger service on each server.


Allaire ClusterCATS 1.0

References

Allaire ClusterCATS URL Redirect Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report