14 DAY TRIAL // Macromedia ColdFusion is one of the applications that allow you to design internet solutions with ease based only on flash platform and without the need of installing a complex application. The program is known and used in the entire world even if its price is huge in both enterprise and standard versions. The enterprise solution was created to allow you to develop several websites on a single or multiple platforms so its price starts at $5.999.
Because many developers are currently using the application, they should know that a vulnerability was identified in ColdFusion that can allow an attacker to view all the files stored on a server. Adobe, the company that designed the solution, confirmed the issue and also released a patch to fix the flaw. "A potential vulnerability in ColdFusion URL parsing could allow an attacker to access directory listings in the ColdFusion installation directory. A specially crafted command sent to the ColdFusion server could result in the attacker getting access to the directory listings," Adobe said.
The company rated the flaw as important and also added that the affected versions of the application are currently ColdFusion MX 7, ColdFusion MX 7.0.1, and ColdFusion MX 7.0.2 only on Windows and IIS. Adobe also released multiple solutions to fix the vulnerability that are different from version to version so, if you think you're affected by the flaw, you should check this link.
iDefense Labs, the company that identified and reported the issue said that "successful exploitation would allow a remote attacker to view the contents of a file on the affected server. Depending on the layout of the files on the server, this could include configuration files, source code written in another scripting language, log files or other data files. Although this vulnerability does not in itself allow execution of code on the server, it may allow an attacker to discover sensitive information such as passwords or to discover vulnerabilities in other scripts on the system or potentially bypass some security restrictions."