Will Dormann, a security researcher at Carnegie Mellon University’s CERT/CC, reports that the Adobe ColdFusion installer does not create a secure access-control list on the default installation directory.
Because of the lack of adequately set ACL, any unprivileged user will be able to create files in the directory structure, which could lead to a privilege escalation security flaw.
In the vulnerability note published on CERT/CC’s website, Dormann says, “by default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself”
To Read More: SecurityWeek