Cold Fusion Expression Evaluator Vulnerability

Impact

A vulnerability in the Cold Fusion Expression Evaluator utility could allow an attacker to view and delete any file on the system, and to upload files anywhere on the server. The ability to upload executable files makes this vulnerability even more critical.

Background

The Cold Fusion Application Server includes online documentation and sample code by default. Included in the sample code is the Expression Evaluator utility, which allows a developer to experiment with Cold Fusion expressions by uploading expressions from a local PC and having the Expression Evaluator evaluate them.

The Problem

The file /cfdocs/expeval/exprcalc.cfm, part of the Expression Evaluator utility, is intended to display the file uploaded by the user, and then delete it. However, it can easily be used to display and delete any file on the system. Furthermore, it can even be used to delete itself, so that subsequently uploaded files will not be deleted by the Expression Evaluator, and will remain on the server. Cold Fusion Application Server versions 2.0, 3.0, 3.1, and 4.0 have this vulnerability.

Resolutions

In general, online documentation and sample utilities should not be kept on operational web servers. To disable the Expression Evaluator, delete the /cfdocs/expeval directory. If the Expression Evaluator is needed, then either secure the /cfdocs/expeval directory so that it is only accessible by users who require it, or install the patch described in Allaire Security Bulletin 99-01.

Where can I read more about this?

More information about the Expression Evaluator vulnerability can be found in the L0pht Security Advisory and in Allaire Security Bulletin 99-01.