Adobe ColdFusion Information Disclosure Vulnerability

Bugtraq ID:	21978
Class:	Input Validation Error
CVE:	CVE-2006-5858
Remote:	Yes
Local:	No
Published:	Jan 09 2007 12:00AM
Updated:	Jan 10 2007 08:51PM
Credit:	Inge Henriksen is credited with the discovery of this vulnerability.
Vulnerable:	Adobe ColdFusion MX 7.02 Adobe ColdFusion MX 7.01 Adobe ColdFusion MX 7.00
Not Vulnerable:

Adobe ColdFusion Information Disclosure Vulnerability

Adobe ColdFusion is prone to an information-disclosure vulnerability.

Successfully exploiting this issue allows remote attackers to gain access to the contents of arbitrary files that are not interpreted by ColdFusion. This includes the source of scripting files not handled by ColdFusion, configuration files, log files, and other data files. Information harvested may aid attackers in further attacks.

Adobe ColdFusion MX7, 7.0.1 and 7.0.2 are vulnerable.

Adobe ColdFusion Information Disclosure Vulnerability

Attackers can exploit this issue via a web client.

Adobe ColdFusion Information Disclosure Vulnerability

Solution:
The vendor released an advisory and fixes to address this issue. Please see the references section for more information.

Adobe ColdFusion Information Disclosure Vulnerability

References:

• Adobe ColdFusion Homepage (Adobe)
  
• Adobe Security Advisory APSB07-02 (Adobe)
  
• iDefense Security Advisory 01.09.07: Adobe Macromedia ColdFusion Source Code Dis (iDefense Labs )