HighCheck or Attack Name: ColdFusionEvaluator
The Expression Evaluator is a sample script included with ColdFusion (through version 4.0) to demonstrate to users how to use the expression evaluation features of ColdFusion. A vulnerability exists in this script, which could allow remote attackers to view or delete arbitrary files on the server. Normally this program is only accessible from the localhost machine (127.0.0.1), but when accessed directly allows connections from any host.
It was later found that in addition to reading and deleting files on the server that it is possible to upload (create) files on the server, which could be used to further compromise the system.
Upgrade to ColdFusion version 4.0.1 at http://www1.allaire.com/handlers/index.cfm?ID=10712&Method=Full.
—OR—
Obtain and install the appropriate ColdFusion Expression Evaluator Security Patch, available at http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full.
—OR—
Users who do not wish to patch their systems should remove the applications from //CFDOCS/expeval (namely "evaluate.cfm").
Allaire Security Bulletin ASB99-01, Expression Evaluator Security Issues Expression Evaluator Security Issues, http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
L0pht Security Advisory, Cold Fusion Application Server, http://www.l0pht.com/advisories/cfusion.txt
Phrack Magazine Volume 8, Issue 54, NT Web Technology Vulnerabilities, http://www.phrack.com/search.phtml?view&article=p54-8
Allaire Corporation, ColdFusion 4.0.1 Update Now Available, http://www.allaire.com/handlers/index.cfm?ID=10712&Method=Full
