[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PR10-07: Unauthenticated File Retrieval (traversal) within ColdFusion administration console
- To: <vuln@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>
- Subject: PR10-07: Unauthenticated File Retrieval (traversal) within ColdFusion administration console
- From: research <research@xxxxxxxxxxxxxx>
- Date: Wed, 11 Aug 2010 09:39:55 +0100
PR10-07: Unauthenticated File Retrieval (traversal) within ColdFusion
administration console
Vulnerability found: 17th April 2010
Vendor informed: 19th April 2010
Vulnerability fixed: 10th August 2010
Severity: High
Description:
Adobe ColdFusion is a easy to use and very widely adopted Programming language,
Procheckup has discovered that the ColdFusion admin console (and various
programs within) are vulnerable to multiple directory traversal attacks related
to a input parameter. No authentication is needed; all that is needed is that
the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on
Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with "server contained installation" "like the earlier
versions", and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common
attacks, preventing the below attack from working. Procheckup recommends
however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have
found the filtering can be bypassed.
Versions tested and found vulnerable
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
Consequences:
Arbitrary files can be retrieved from the target server, no authentication is
required to exploit this vulnerability.
The following demonstrate the traversal flaw:
*The exploit strings will be published within seven days
Fix:
Apply patches as described below, or restrict access to /CIDE/administrator/ by
IP address or other similar controls.
See http://www.adobe.com/support/security/bulletins/apsb10-18.html
ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and
{CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that
consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the
CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in
any other instances.
5. Restart all the ColdFusion instances.
ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and
{CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-801.zip to the web root directory that
consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the
CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in
any other instances.
5. Restart all the ColdFusion instances.
ColdFusion 8.0
1. Download CFIDE-8.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and
{CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-8.zip to the web root directory that
consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the
CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in
any other instances.
5. Restart all the ColdFusion instances.
References:
http://www.procheckup.com/Vulnerabilities.php
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2861 CVE-2010-2861
Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)
Legal:
Copyright 2010 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet
community for the purpose of alerting them to problems, if and only if, the
Bulletin is
Not edited or changed in any way, is attributed to Procheckup, and provided
such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for
any misuse of this information by any third party.