Eric Lackey has reported a vulnerability in ColdFusion MX, which can be exploited by malicious, authenticated users to bypass certain security restrictions.
The vulnerability is caused due to an error, which can be exploited to call restricted methods through an object of a specially crafted class written to the ColdFusion
library directory.
Successful exploitation may e.g. disclose the administrative password, but requires permissions to create a Cold Fusion template on a server with CreateObject or
cfobject tags enabled.
The vulnerability has been reported in version 6.1. Other versions may also be affected.
SOLUTION:
Grant only trusted users permissions to create templates on the ColdFusion MX server.
PROVIDED AND/OR DISCOVERED BY:
Eric Lackey
http://community.securityteam.us/article.php/2004100518341637