A vulnerability in the Cold Fusion Expression Evaluator utility could allow an attacker to view and delete any file on the system, and to upload files anywhere on the server. The ability to upload executable files makes this vulnerability even more critical.
The file /cfdocs/expeval/exprcalc.cfm is intended to display the file uploaded by the user, and then delete it. However, it can easily be used to display and delete any file on the system. Furthermore, it can even be used to delete itself, so that subsequently uploaded files will not be deleted by the Expression Evaluator, and will remain on the server. Cold Fusion Application Server versions 2.0, 3.0, 3.1, and 4.0 have this vulnerability.
CVE 1999-0922
The example script sourcewindow.cfm allows a remote
user to view the source code of any file on the server.
Vulnerabilities in several of the sample scripts included in the "snippets" directory could allow an attacker to verify the existence of files on the server, view the source code of Cold Fusion files, or create a denial of service.
CVE 1999-0924
The Syntax Checker is used to check the syntax of Cold Fusion
files. By sending a query which instructs it to check the
syntax of *.*, a heavy load can be created
on the CPU, thus slowing down the response to legitimate
requests.
Cold Fusion contains a Java applet designed to allow an administrator to start or stop the Cold Fusion service. When Basic Security is enabled, this utility is password-protected, so that only an administrator can use it. However, when Advanced Security is enabled, it overrides the password-protection. This allows any remote user to stop the Cold Fusion service, thus creating a denial of service. Cold Fusion 4.0 and 4.0.1 are affected by this vulnerability if Advanced Security is enabled.
If the Expression Evaluator is needed, then either secure the /cfdocs/expeval directory so that it is only accessible by users who require it, or install the patch described in Allaire Security Bulletin 99-01.
If the Start/Stop utility is needed, and Advanced Security is enabled, upgrade to the latest version of Cold Fusion, or use standard Web Server security to restrict startstop.html so that it is only accessible to authorized users.
For more information about the sourcewindow, snippets, and syntax checker vulnerabilities, see Rain Forest Puppy and Allaire Security Bulletin 99-02.
More information about the Start/Stop vulnerability can be found in Allaire Security Bulletin 99-07.