CVE-2013-0629

What is Adobe ColdFusion?

Adobe ColdFusion is an enterprise application server platform widely deployed in government agencies, financial institutions, and large enterprises. ColdFusion exposes web endpoints for both application delivery and administrative functions. Directory traversal vulnerabilities in web application servers are particularly damaging because they allow attackers to read arbitrary files from the server's filesystem — including configuration files containing database passwords, private keys, session data, and source code — without requiring any authentication.

Overview

CVE-2013-0629 is a directory traversal vulnerability in Adobe ColdFusion that allows an unauthenticated remote attacker to access files outside the intended web root by using path traversal sequences (such as ../) in request parameters. This permits reading restricted server-side files including ColdFusion configuration files, which typically contain plaintext database connection credentials and other sensitive data. The CVSS confidentiality impact is High with no integrity or availability impact — a read-only information disclosure vulnerability.

Adobe patched this in Security Bulletin APSB13-03 on January 9, 2013, alongside the authentication bypass CVE-2013-0625 and information disclosure CVE-2013-0631.

Affected Versions

Technical Details

Directory traversal (also called path traversal) vulnerabilities occur when a web application uses user-supplied input to construct filesystem paths without properly sanitizing path traversal sequences. In ColdFusion's case, a URL endpoint accepted a filename or path parameter that was used to serve content; by including ../ sequences, attackers could navigate above the intended directory and read arbitrary files accessible to the ColdFusion process.

Files of particular interest to attackers on a ColdFusion server include:

• neo-query.xml — contains datasource definitions with plaintext database credentials
• password.properties — ColdFusion Administrator password hash
• jvm.config — JVM configuration including system paths
• Application source code (.cfm and .cfc files) containing hardcoded credentials or business logic

This vulnerability is frequently chained with CVE-2013-0625 (authentication bypass): the directory traversal reveals credentials or configuration that can be used to further exploit the system.

Discovery

Discovered through security research and coordinated with Adobe, resulting in inclusion in APSB13-03.

Exploitation Context

CISA confirmed in-the-wild exploitation. Directory traversal on ColdFusion servers was part of a documented attack pattern in early 2013: attackers first used CVE-2013-0629 to retrieve database credentials and ColdFusion configuration, then leveraged those credentials or used the authentication bypass (CVE-2013-0625) to achieve full administrative access and deploy persistent webshells.

Remediation

1. Apply APSB13-03 immediately on all affected ColdFusion installations
2. Apply Adobe's ColdFusion lockdown guide — it includes specific URL filtering and directory access restrictions that prevent traversal
3. Configure the web server (IIS or Apache) to block requests containing path traversal sequences (../, %2e%2e, etc.) at the WAF or URL rewrite layer
4. Audit ColdFusion neo-query.xml and other configuration files for exposure; rotate all database credentials as a precaution
5. Review web server access logs for traversal patterns — look for requests containing .. or %2e%2e sequences in path parameters