Skip to main content
Aura Research Division

Adobe ColdFusion - Path Traversal Vulnerability

Daniel Underhay
Table of Contents
  • CVE(s): CVE-2019-8074
  • Vendor: Adobe
  • Product: ColdFusion
  • Version(s) affected: 2018 Update 4 and earlier versions, 2016 Update 11 and earlier versions
  • Fixed version: 2018 Update 5, 2016 Update 12

Adobe security bulletin details.

Path Traversal Vulnerability (CVE-2017-5219) #

By default, custom applications built using the Adobe ColdFusion platform would block access to the admin portal. Access is restricted (usually) based on IP address, which is added to an allowlist. Any attempts to access the admin portal (for example - https://example.com/CFIDE/administrator/index.cfm), will result in a redirect to the main page of the application.

Using ..;/ it was possible to bypass the access controls and access the ColdFusion admin portal.

For example:

https://example.com/..;/CFIDE/administrator/index.cfm

The idea came from watching a great talk from Orange Tsai on exploiting URL parsers. More info on this topic can be found here.

Disclaimer #

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.

  1. Initial Attempt to Contact Vendor

    Contacted the PaperCut Support Team.

  2. Initial Attempt to Contact Vendor

    Contacted the PaperCut Support Team.