The problem outlined below seems to effect all Allaire Forums 2.0.x versions. Allaire has confirmed that the bug exists, and will be issuing a security bulletin with details about it and a fix shortly. Until then, use the following information at your own risk. Problem: A file named GetFile.cfm is found in the root directory of Allaire Forums 2.0.x distributions. This file will allow anyone to access any file on servers running Forums. For example, the following URL string format can be used to call the server's boot.ini file: GetFile.cfm?FT=Text&FST=Plain&FilePath=C:\boot.ini The variables in the above string correspond to the tag in the file, which is: <CFCONTENT TYPE="#FT#/#FST#" FILE="#FilePath#"> Solution: GetFile.cfm does not appear to be used anywhere in any of the Forums templates. Simply deleting the file or commenting out the code in the file should protect your server from this exploit. -Cameron -------------------- Cameron Childress McRae Communications 770.460.7277 x.232 770.460.0963 fax
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:51 PDT