Macromedia ColdFusion RDS default condition exploit

This paper will review the vulnerabilities associated with the Remote Development Service (RDS), a component of the widely used Macromedia ColdFusion (CF) development platform. RDS gives web developers the ability to 'securely' access remote files and data sources, and debug CFML code. Think of RDS as a proprietary transport protocol, serving the same functionality as FTP. These vulnerabilities were discovered by myself and victim1 (of angrypacket.com) in June of 2003. To date, these vulnerabilities have not evolved into a known distributed attack, however, this paper will clearly argue that this is a distinct possibility.