CVE-ID

CVE-1999-0455

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (19991210-01)
Votes (Legacy)
ACCEPT(3) Balinsky, Frech, Ozancin
MODIFY(1) Wall
NOOP(1) Baker
REVIEWING(1) Christey
Comments (Legacy)
 Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
   make application plural since there are three sample applications
   (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
 Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
   Since there are 3 separate "executables" with the same
   (or similar) problem, we need to make sure that CD:SF-EXEC
   determines what to do here.  There is evidence that some
   of these .cfm scripts have an "include" file, and if so, 
   then CD:SF-LOC says that we shouldn't make separate entries
   for each of these scripts.  On the other hand, the initial
   L0pht discovery didn't include all 3 of these scripts, and
   as far as I can tell, Allaire had patched the first problem
   before the others were discovered.  So, CD:DISCOVERY-DATE
   may argue that we should split these because the problems
   were discovered and patched at different times.
   
   In any case, this candidate can not be accepted until the
   Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
   and CD:DISCOVERY-DATE content decisions.

Proposed (Legacy)
19990726
This is an entry on the CVE list, which standardizes names for security problems.