what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cf40.txt

cf40.txt
Posted Aug 17, 1999
Authored by rain forest puppy

Cold Fusion v4.0 security - A variety of security holes described in Cold Fusion v4.0.

tags | exploit
SHA-256 | 230ff3e0a74a6aa551135eb38cf3d5bd7af5e943be271533a4de040b6cca45df

cf40.txt

Change Mirror Download
Ok, I've had CF 4.0 (eval) for approx. 1 hour now, and here's over a half
dozen more reasons to not use sample pages:

http://server/cfdocs/exampleapp/docs/sourcewindow.cfm?Template=

--shows you contents of any file you want

http://server/cfdocs/snippets/evaluate.cfm

--if the expression evaluator has local host only security, why is this
one unprotected? If I knew more CF insides, maybe I could really abuse
this.

http://server/cfdocs/snippets/fileexists.cfm

--can be used to verify the existance of any file on the same hard drive.
Granted, it dissallows supplying a drive letter, or starting with \ or /.
But the following works for me (since I'm on NT, and \inetput\wwwroot is
on my boot drive): ..\..\..\..\boot.ini

http://server/cfdocs/snippets/gettempdirectory.cfm

--while this is not a security problem in itself, I was QUITE alarmed what
the results were. Now, my NT installation is a completely generic NT
install (all I did was practically hit the Next button where-ever
possible):

GetTempDirectory Example

The temporary directory for this Cold Fusion server is C:\WINNT\.

We have created a temporary file called: C:\WINNT\tes39.tmp

Now why is my \winnt\ my temp directory?!? That means temp files have the
possibility of screwing with my system files. Granted, this is probably
just a variable/setting issue. But still alarming.

http://server/cfdocs/snippets/setlocale.cfm

--possibly abusable...it's another eval.

http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\

--allows you to view any .CFM files. It automatically adds the .cfm
extension, so only CFM files are prey to this.

http://server/cfdocs/cfmlsyntaxcheck.cfm

--I set this to c:\, check *.*, recurse, and it spit out various lists of
.exe's I had. Also caused the CF server process to spike and stay at 100%
CPU utilization.

Plus it made two ODBC DSNs for the samples. While this is not a threat at
all, there are some drawbacks....(information regarding this will be
released in the future after completion of research).

Speaking of research, this is in no way thorough. Due to lack of resources
(eval copy running on a p75), I'm only going to mess with the sample
pages. If anyone wishes to donate materials for better research (Allaire?)
I'm all ears. :)

Cheers, .rain.forest.puppy.

--------------------------------------------------------------------------

Date: Sat, 6 Feb 1999 09:01:51 +0800
From: Gilbert Huang <ghuang@KRAKENCORP.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Cold Fusion and NT security advisory

Just received an email from Allaire with the following security advisories:

Expression Evaluator Security Issues
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full

Cold Fusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

Microsoft Internet Information Server Exposure of Source Code with '::$DATA'
http://www.allaire.com/handlers/index.cfm?ID=8729&Method=Full

Multiple SQL Statements in Dynamic Queries
http://www.allaire.com/handlers/index.cfm?ID=8728&Method=Full

Those of you who use Cold Fusion on your servers should be aware of these
security breaches.

Cheers!
Gilbert Huang

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close