ACFUG List: Alert: Allaire Forums GetFile bug

[aleph1 () UNDERGROUND ORG (aleph1 () UNDERGROUND ORG)]

The problem outlined below seems to effect all Allaire Forums 2.0.x
versions.  Allaire has confirmed that the bug exists, and will be issuing a
security bulletin with details about it and a fix shortly.  Until then, use
the following information at your own risk.

Problem:

A file named GetFile.cfm is found in the root directory of Allaire Forums
2.0.x distributions.  This file will allow anyone to access any file on
servers running Forums.  For example, the following URL string format can be
used to call the server's boot.ini file:

GetFile.cfm?FT=Text&FST=Plain&FilePath=C:\boot.ini

The variables in the above string correspond to the tag in the file, which
is:

<CFCONTENT TYPE="#FT#/#FST#" FILE="#FilePath#">

Solution:

GetFile.cfm does not appear to be used anywhere in any of the Forums
templates.  Simply deleting the file or commenting out the code in the file
should protect your server from this exploit.

-Cameron

--------------------
Cameron Childress
McRae Communications
770.460.7277 x.232
770.460.0963 fax