Cold Fusion v4.0 security - A variety of security holes described in Cold Fusion v4.0.
230ff3e0a74a6aa551135eb38cf3d5bd7af5e943be271533a4de040b6cca45df
Ok, I've had CF 4.0 (eval) for approx. 1 hour now, and here's over a half
dozen more reasons to not use sample pages:
http://server/cfdocs/exampleapp/docs/sourcewindow.cfm?Template=
--shows you contents of any file you want
http://server/cfdocs/snippets/evaluate.cfm
--if the expression evaluator has local host only security, why is this
one unprotected? If I knew more CF insides, maybe I could really abuse
this.
http://server/cfdocs/snippets/fileexists.cfm
--can be used to verify the existance of any file on the same hard drive.
Granted, it dissallows supplying a drive letter, or starting with \ or /.
But the following works for me (since I'm on NT, and \inetput\wwwroot is
on my boot drive): ..\..\..\..\boot.ini
http://server/cfdocs/snippets/gettempdirectory.cfm
--while this is not a security problem in itself, I was QUITE alarmed what
the results were. Now, my NT installation is a completely generic NT
install (all I did was practically hit the Next button where-ever
possible):
GetTempDirectory Example
The temporary directory for this Cold Fusion server is C:\WINNT\.
We have created a temporary file called: C:\WINNT\tes39.tmp
Now why is my \winnt\ my temp directory?!? That means temp files have the
possibility of screwing with my system files. Granted, this is probably
just a variable/setting issue. But still alarming.
http://server/cfdocs/snippets/setlocale.cfm
--possibly abusable...it's another eval.
http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\
--allows you to view any .CFM files. It automatically adds the .cfm
extension, so only CFM files are prey to this.
http://server/cfdocs/cfmlsyntaxcheck.cfm
--I set this to c:\, check *.*, recurse, and it spit out various lists of
.exe's I had. Also caused the CF server process to spike and stay at 100%
CPU utilization.
Plus it made two ODBC DSNs for the samples. While this is not a threat at
all, there are some drawbacks....(information regarding this will be
released in the future after completion of research).
Speaking of research, this is in no way thorough. Due to lack of resources
(eval copy running on a p75), I'm only going to mess with the sample
pages. If anyone wishes to donate materials for better research (Allaire?)
I'm all ears. :)
Cheers, .rain.forest.puppy.
--------------------------------------------------------------------------
Date: Sat, 6 Feb 1999 09:01:51 +0800
From: Gilbert Huang <ghuang@KRAKENCORP.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Cold Fusion and NT security advisory
Just received an email from Allaire with the following security advisories:
Expression Evaluator Security Issues
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
Cold Fusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Microsoft Internet Information Server Exposure of Source Code with '::$DATA'
http://www.allaire.com/handlers/index.cfm?ID=8729&Method=Full
Multiple SQL Statements in Dynamic Queries
http://www.allaire.com/handlers/index.cfm?ID=8728&Method=Full
Those of you who use Cold Fusion on your servers should be aware of these
security breaches.
Cheers!
Gilbert Huang