Ok, I've had CF 4.0 (eval) for approx. 1 hour now, and here's over a half
dozen more reasons to not use sample pages: 

http://server/cfdocs/exampleapp/docs/sourcewindow.cfm?Template= 

--shows you contents of any file you want 

http://server/cfdocs/snippets/evaluate.cfm 

--if the expression evaluator has local host only security, why is this
one unprotected? If I knew more CF insides, maybe I could really abuse
this. 

http://server/cfdocs/snippets/fileexists.cfm 

--can be used to verify the existance of any file on the same hard drive.
Granted, it dissallows supplying a drive letter, or starting with \ or /.
But the following works for me (since I'm on NT, and \inetput\wwwroot is
on my boot drive): ..\..\..\..\boot.ini 

http://server/cfdocs/snippets/gettempdirectory.cfm 

--while this is not a security problem in itself, I was QUITE alarmed what
the results were. Now, my NT installation is a completely generic NT
install (all I did was practically hit the Next button where-ever
possible): 

GetTempDirectory Example 

The temporary directory for this Cold Fusion server is C:\WINNT\. 

We have created a temporary file called: C:\WINNT\tes39.tmp 

Now why is my \winnt\ my temp directory?!? That means temp files have the
possibility of screwing with my system files. Granted, this is probably
just a variable/setting issue. But still alarming. 

http://server/cfdocs/snippets/setlocale.cfm 

--possibly abusable...it's another eval. 

http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\ 

--allows you to view any .CFM files. It automatically adds the .cfm
extension, so only CFM files are prey to this. 

http://server/cfdocs/cfmlsyntaxcheck.cfm 

--I set this to c:\, check *.*, recurse, and it spit out various lists of
.exe's I had. Also caused the CF server process to spike and stay at 100%
CPU utilization. 

Plus it made two ODBC DSNs for the samples. While this is not a threat at
all, there are some drawbacks....(information regarding this will be
released in the future after completion of research). 

Speaking of research, this is in no way thorough. Due to lack of resources
(eval copy running on a p75), I'm only going to mess with the sample
pages. If anyone wishes to donate materials for better research (Allaire?)
I'm all ears. :) 

Cheers, .rain.forest.puppy. 

--------------------------------------------------------------------------

Date: Sat, 6 Feb 1999 09:01:51 +0800
From: Gilbert Huang <ghuang@KRAKENCORP.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Cold Fusion and NT security advisory

Just received an email from Allaire with the following security advisories:

Expression Evaluator Security Issues
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full

Cold Fusion 4.0 Example Applications and Sample Code Exposes Servers
http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

Microsoft Internet Information Server Exposure of Source Code with '::$DATA'
http://www.allaire.com/handlers/index.cfm?ID=8729&Method=Full

Multiple SQL Statements in Dynamic Queries
http://www.allaire.com/handlers/index.cfm?ID=8728&Method=Full

Those of you who use Cold Fusion on your servers should be aware of these
security breaches.

Cheers!
Gilbert Huang