CVE

Id
454  
CVE No.
CVE-1999-0455  
Status
Candidate  
Description
The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.  
Phase
Modified (19991210-01)  
Votes
ACCEPT(3) Balinsky, Frech, Ozancin | MODIFY(1) Wall | NOOP(1) Baker | REVIEWING(1) Christey  
Comments
Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) | make application plural since there are three sample applications | (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). | Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. | Since there are 3 separate "executables" with the same | (or similar) problem, we need to make sure that CD:SF-EXEC | determines what to do here. There is evidence that some | of these .cfm scripts have an "include" file, and if so, | then CD:SF-LOC says that we shouldn"t make separate entries | for each of these scripts. On the other hand, the initial | L0pht discovery didn"t include all 3 of these scripts, and | as far as I can tell, Allaire had patched the first problem | before the others were discovered. So, CD:DISCOVERY-DATE | may argue that we should split these because the problems | were discovered and patched at different times. | | In any case, this candidate can not be accepted until the | Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, | and CD:DISCOVERY-DATE content decisions.  

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
994 454 CVE-1999-0455 ALLAIRE:ASB-001  View
995 454 CVE-1999-0455 XF:coldfusion-expression-evaluator  View
996 454 CVE-1999-0455 BID:115  View

Related JVN