CVE-2006-5858

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion MX versions 7 through 7.0.2 JRun version 4

Description The issue allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file. This can be achieved when the software is run on Microsoft IIS.

Recommendations For Adobe ColdFusion MX versions 7 through 7.0.2, consider restricting access to CFM files until a patch is available. For JRun version 4, restrict access to the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.