## Summary

CVE-2026-48282 is an Adobe ColdFusion Remote Development Services (RDS) FILEIO path handling flaw reachable through `POST /CFIDE/main/ide.cfm?ACTION=FILEIO`. The patched ColdFusion 2025 Update 10 code rejects `..` directory-traversal segments, but it still accepts attacker-supplied absolute paths and passes them to the real FILEIO read/write operators. In this run, the target was Adobe ColdFusion 2025 Update 10 with the official Server Auto-Lockdown installer successfully applied. Apache lockdown rules blocked `/CFIDE`, but the direct ColdFusion Tomcat endpoint remained reachable. When the RDS deployment precondition `rds.security.enabled=false` was present after lockdown, unauthenticated FILEIO requests read `/etc/passwd`, wrote a CFML payload into the ColdFusion `CFIDE` webroot using an absolute path with no `..`, and executed `/usr/bin/id` as `uid=999(cfuser)`.

## Impact

- **Package/component affected:** Adobe ColdFusion 2025 RDS (`coldfusion.rds.RdsFrontEndServlet`, `coldfusion.rds.FileServlet`, `coldfusion.rds.RdsFileSecurity`) exposed through `/CFIDE/main/ide.cfm?ACTION=FILEIO`.
- **Affected versions:** This run validated Adobe ColdFusion 2025 Update 10 (`2025,0,10,331899`) in Docker image `adobecoldfusion/coldfusion2025:2025.0.10`, digest/image ID `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`. Prior ticket context indicates the original issue affected ColdFusion 2025 Update 9 / 2023 Update 20 and earlier, with partial patch/bypass behavior in later fixed builds.
- **Risk level and consequences:** Critical when RDS is enabled and RDS authentication is disabled or bypassed/reconfigured. An unauthenticated remote attacker can read arbitrary files, write CFML into a web-executable location, and execute commands as the ColdFusion runtime user. In the locked-down Docker target, the demonstrated runtime user was `uid=999(cfuser)`.

## Impact Parity

- **Disclosed/claimed maximum impact:** Unauthenticated remote code execution through RDS FILEIO path traversal/absolute-path bypass.
- **Reproduced impact from this run:** Code execution through the real ColdFusion HTTP endpoint after official Server Auto-Lockdown evidence was present. The script wrote a CFML template under `/opt/coldfusion/cfusion/wwwroot/CFIDE/` using an absolute path and then executed it over Tomcat, producing `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`.
- **Parity:** `full` for the tested configuration: CF 2025 Update 10 with Server Auto-Lockdown applied and RDS authentication disabled after lockdown. Apache lockdown blocked `/CFIDE`, but the direct Tomcat product endpoint remained exploitable.
- **Not demonstrated:** The proof does not claim that Apache-fronted `/CFIDE` bypasses the official Apache lockdown rules; the Apache control returned HTTP 404. The proof also does not demonstrate exploitation when `rds.security.enabled=true`; that negative control correctly returned `-100`.

## Root Cause

The vulnerable path is the RDS FILEIO RPC endpoint. The request body is length-prefixed RDS data where the first FILEIO field is the path and the second field is the operator, such as `READ` or `WRITE`. In ColdFusion 2025 Update 10, `coldfusion.rds.RdsFileSecurity.resolveCanonical()` rejects null/empty paths, null bytes, and path strings containing `..` as a traversal segment. The patch path is active, as demonstrated by the `../` negative control returning:

```text
-1:The requested path contains directory traversal sequences and was rejected.
java.io.IOException: The requested path contains directory traversal sequences and was rejected.
    at coldfusion.rds.RdsFileSecurity.resolveCanonical(RdsFileSecurity.java:61)
```

However, the validation does not enforce that the canonical path remains under an approved RDS root or non-web-executable directory. Absolute paths such as `/etc/passwd` and `/opt/coldfusion/cfusion/wwwroot/CFIDE/<marker>.cfm` contain no `..` segment, so they pass the traversal check and reach `FileServlet$FileReadOperator` or `FileServlet$FileWriteOperator`. When the write target is web-executable, the attacker-controlled CFML runs under the ColdFusion service account.

A fix commit was not available in this Docker-image validation. The effective fix should bind FILEIO operations to an explicit allowed root after canonicalization, reject absolute paths outside that root, and keep RDS disabled/authenticated in production and lockdown profiles.

## Reproduction Steps

1. Run `bundle/repro/reproduction_steps.sh` from the bundle root, for example:
   ```bash
   PRUVA_ROOT=/path/to/bundle bash bundle/repro/reproduction_steps.sh
   ```
2. The script:
   - Reuses or starts the real Docker target `adobecoldfusion/coldfusion2025:2025.0.10`.
   - Verifies the official Server Auto-Lockdown success log in the container.
   - Records product identity, image digest, lockdown installer checksum, Apache lockdown config, and locked-down filesystem permissions.
   - Builds real RDS FILEIO binary payloads.
   - Runs an RDS-authentication negative control (`rds.security.enabled=true`) and confirms unauthenticated FILEIO returns `-100`.
   - Re-enables the vulnerable RDS precondition (`rds.enabled=true`, `rds.security.enabled=false`) after lockdown.
   - Sends unauthenticated FILEIO requests through the real ColdFusion Tomcat HTTP endpoint to read `/etc/passwd`, write a CFML marker under `CFIDE`, and execute it.
   - Confirms Apache `/CFIDE` remains blocked and that `../` traversal is rejected by the patched path.
3. Expected evidence:
   - `/etc/passwd` contents in `bundle/logs/post_lockdown_abs_read_passwd.log`.
   - FILEIO write acknowledgement `1:2:XX` in `bundle/logs/post_lockdown_abs_write_cfide_webshell.log`.
   - RCE marker and `uid=999(cfuser)` in `bundle/logs/post_lockdown_rce_tomcat.log`.
   - Apache HTTP 404/403 block in `bundle/logs/post_lockdown_apache_cfide_block.log`.
   - `RdsFileSecurity.resolveCanonical` traversal rejection in `bundle/logs/post_lockdown_traversal_negative.log`.

## Evidence

- `bundle/logs/product_identity.txt`
  - ColdFusion version: `2025,0,10,331899`.
  - Base version: `2025,0,0,331385`.
  - Docker image/digest: `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`.
  - Lockdown installer MD5: `a4c76d478c07f91891c89d260c042318`.
- `bundle/logs/official_lockdown_success.log`
  - Contains `ColdFusion Server has been locked down successfully!` from the official installer run.
- `bundle/logs/lockdown_state.txt`
  - Shows official Apache lockdown rules including `RedirectMatch 404 (?i).*/CFIDE.*`.
  - Shows locked-down permissions, including `/app` as `551` and `/opt/coldfusion/cfusion/wwwroot/CFIDE` owned by `cfuser`.
- `bundle/logs/post_lockdown_auth_enabled_negative.log`
  - Shows the RDS-authentication negative control: `-100:Unable to authenticate on RDS server using current security information.`
- `bundle/logs/post_lockdown_abs_read_passwd.log`
  - Shows absolute-path read of `/etc/passwd` over FILEIO, including `root:x:0:0:root:/root:/bin/bash` and `cfuser:x:999:999::/home/cfuser:/bin/sh`.
- `bundle/logs/post_lockdown_abs_write_cfide_webshell.log`
  - Shows successful FILEIO write acknowledgement: `1:2:XX` and HTTP 200.
- `bundle/logs/post_lockdown_rce_tomcat.log`
  - Shows command execution result: `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`.
- `bundle/logs/post_lockdown_apache_cfide_block.log`
  - Shows Apache-fronted `/CFIDE` blocked with HTTP 404, confirming the exploit used the direct Tomcat product endpoint rather than bypassing Apache request filtering.
- `bundle/logs/post_lockdown_traversal_negative.log`
  - Shows `../` traversal rejected by `RdsFileSecurity.resolveCanonical`, proving the patched traversal filter is active while absolute paths remain accepted.
- `bundle/repro/runtime_manifest.json`
  - Captures runtime entrypoint, service/healthcheck status, proof artifacts, product version, image ID, lockdown checksum, and exploit marker.

## Recommendations / Next Steps

- Enforce canonical-root containment in `RdsFileSecurity.resolveCanonical()` or immediately after it. Canonicalize the requested path, canonicalize the allowed RDS root, and reject any target not contained within the allowed root.
- Reject absolute paths for RDS FILEIO unless they are explicitly mapped to an approved project/RDS root.
- Ensure Server Auto-Lockdown either disables RDS completely or guarantees RDS authentication cannot be disabled while the server is in a locked-down/production profile.
- Do not expose the internal Tomcat port (8500/8501) on production systems; require all external traffic to traverse the hardened webserver connector or firewall.
- Add regression tests for: absolute `/etc/passwd`-style reads, absolute webroot writes, `../` traversal, URL/encoding variants, and all deployment modes (Apache connector and direct Tomcat).
- Administrators should upgrade to Adobe's fixed release when available, keep RDS disabled unless strictly required, and audit for unexpected CFML/JSP files under webroots including `CFIDE`.

## Additional Notes

- Idempotency was confirmed: `bundle/repro/reproduction_steps.sh` ran successfully twice consecutively with fresh per-run markers.
- The proof is product-mode and non-sanitized. It uses real Dockerized Adobe ColdFusion, real Server Auto-Lockdown artifacts, real HTTP requests, and real CFML execution.
- The exploit requires the RDS exposure/precondition (`rds.enabled=true` and `rds.security.enabled=false`). With RDS authentication enabled, the same unauthenticated FILEIO request is rejected with `-100`.
- Apache lockdown remains effective for `/CFIDE`; the issue shown here is that the direct Tomcat endpoint remains a product HTTP boundary that can still exercise RDS FILEIO under the vulnerable RDS configuration.
