[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Vulnerabilities in Adobe ColdFusion



Hello list!

I want to warn you about SQL DB Structure Extraction, Full path disclosure
and Cross-Site Scripting vulnerabilities in Adobe ColdFusion.

The vulnerabilities exist at detailed error report page. At 16.11.2010 I
privately informed Adobe about it, but they ignored my letter.

-------------------------
Affected products:
-------------------------

Vulnerable are possibly all versions of Adobe ColdFusion.

----------
Details:
----------

SQL DB Structure Extraction (WASC-13):

http://site/page.cfm?id=-

Information about SQL query is showed (if this web application is working
with DBMS).

Full path disclosure (WASC-13):

http://site/page.cfm?id=-

Full path at server is showed.

XSS (WASC-08):

At request to page http://site/page.cfm?id=- with User-Agent “Mozilla<body
onload=alert(document.cookie)>” it was possible to execute code.
Vulnerability worked in 2009 and at 25.02.2010. Now this vulnerability is
fixed (possibly in last versions of ColdFusion).

XSS (WASC-08):

http://site/page.cfm?id=%3Cbody%20onload=alert(document.cookie)%3E

Attack vector via tag script, which worked in 2009 and at 25.02.2010, was
already fixed in last versions of ColdFusion. But it's still possible to
attack via many other vectors (e.g. via tag body).

------------
Timeline:
------------

2008-2010 - found these vulnerabilities at different web sites on ColdFusion
and informed admins (and some admins of these sites potentially could told
Adobe about these issues, as XSS via User-Agent and via tag script were
fixed at time of February 2010).
2010.11.16 - informed developers (Adobe ignored).
2011.01.27 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4879/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/