"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion"

Author

Exploit author

Portcullis

Platform

Exploit platform

cfm

Release date

Exploit published date

2015-04-21

                
                         Download file
                    
Vulnerability title: Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet
CVE: CVE-2014-5370
Vendor: New Atlanta
Product: BlueDragon CFChart Servlet
Affected version: 7.1.1.17759
Fixed version: 7.1.1.18527
Reported by: Mike Westmacott
Details:

The CFChart servlet of BlueDragon (component com.naryx.tagfusion.cfm.cfchartServlet) is vulnerable to arbitrary file retrieval due to a directory traversal vulnerability. In certain circumstances the retrieved file is also deleted.

Exploit:

In order to retrieve a file from a vulnerable server use the following URL in a web browser and intercept the response from the server:

http://TARGETHOST/cfchart.cfchart?..\..\..\..\..\..\..\..\..\..\TARGETFILE

The browser will display a broken image, however the HTTP response will contain the file’s contents.

Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5370/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2019-09-16	"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload"	webapps	cfm	"Pankaj Kumar Thakur"
2017-10-24	"Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection"	webapps	cfm	"Anthony Cole"
2015-04-21	"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion"	webapps	cfm	Portcullis
2011-09-27	"Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities"	webapps	cfm	MustLive
2011-08-18	"Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting"	webapps	cfm	G.R0b1n
2011-02-24	"Alcassoft's SOPHIA CMS - SQL Injection"	webapps	cfm	p0pc0rn
2011-02-15	"Lingxia I.C.E CMS - Blind SQL Injection"	webapps	cfm	mr_me
2011-01-25	"ActiveWeb Professional 3.0 - Arbitrary File Upload"	webapps	cfm	StenoPlasma
2010-12-13	"Mura CMS - Multiple Cross-Site Scripting Vulnerabilities"	webapps	cfm	"Richard Brain"
2010-11-24	"ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)"	webapps	cfm	Metasploit

Release Date	Title	Type	Platform	Author
2016-02-03	"Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting"	webapps	hardware	Portcullis
2015-09-25	"X2Engine 4.2 - Arbitrary File Upload"	webapps	php	Portcullis
2015-09-25	"X2Engine 4.2 - Cross-Site Request Forgery"	webapps	php	Portcullis
2015-07-14	"Pimcore CMS Build 3450 - Directory Traversal"	webapps	xml	Portcullis
2015-04-21	"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion"	webapps	cfm	Portcullis
2014-12-10	"OpenEMR 4.1.2(7) - Multiple SQL Injections"	webapps	php	Portcullis
2014-10-28	"Enalean Tuleap 7.4.99.5 - Remote Command Execution"	webapps	php	Portcullis
2014-10-28	"Enalean Tuleap 7.4.99.5 - Blind SQL Injection"	webapps	php	Portcullis
2014-10-28	"Enalean Tuleap 7.2 - XML External Entity File Disclosure"	webapps	php	Portcullis
2014-10-02	"TestLink 1.9.11 - Multiple SQL Injections"	webapps	php	Portcullis
2014-10-02	"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution"	webapps	php	Portcullis
2014-06-12	"IBM AIX 6.1.8 - 'libodm' Arbitrary File Write"	local	aix	Portcullis
2014-05-14	"Broadcom PIPA C211 - Sensitive Information Disclosure"	webapps	hardware	Portcullis
2014-04-24	"dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read"	webapps	php	Portcullis
2014-03-12	"vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion"	webapps	php	Portcullis
2014-03-12	"Procentia IntelliPen 1.1.12.1520 - 'data.aspx' Blind SQL Injection"	webapps	asp	Portcullis
2014-03-10	"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution"	webapps	multiple	Portcullis
2014-03-01	"Oracle Demantra 12.2.1 - SQL Injection"	webapps	windows	Portcullis
2014-03-01	"Oracle Demantra 12.2.1 - Persistent Cross-Site Scripting"	webapps	windows	Portcullis
2014-03-01	"Oracle Demantra 12.2.1 - Arbitrary File Disclosure"	webapps	windows	Portcullis
2014-03-01	"Oracle Demantra 12.2.1 - Database Credentials Disclosure"	webapps	windows	Portcullis
2008-05-11	"ScrewTurn Software ScrewTurn Wiki 2.0.x - 'System Log' Page HTML Injection"	webapps	php	Portcullis
2008-05-08	"SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting"	webapps	cgi	Portcullis
2008-05-08	"SAP Internet Transaction Server 6200.1017.50954.0 Bu (WGate) - 'wgate.dll?~service' Cross-Site Scripting"	webapps	cgi	Portcullis

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.