L0pht Security Advisory
-------------

URL Origin:    http://www.l0pht.com/advisories.html 
Release Date:  April 20th, 1999 
Application:   Cold Fusion Application Server 
Severity:      Web users can download, delete and even upload 
               executable files to a Cold Fusion server. Access 
               is not limited to files under the web root. 
Author:        kklinsky@themerge.com 
Operating Sys: All platforms  

-------------


I. Description 

In issue 54, volume 8 of Phrack Magazine dated December 25, 1998, 
rain.forest.puppy <rfpuppy@iname.com> describes a security problem with 
installations of Cold Fusion Application Server when the online 
documentation is installed. The online documentation is installed by 
default. According to Phrack, the vulnerability allows web users to view 
files anywhere on the server. 

On February 4, 1999, Allaire posted a fix on their web site 
(www.allaire.com) and also recommend that documentation not be stored 
on production servers. They also acknowledge that the hole allows web 
users to read and also delete files on the server. The patch 
successfully fixes the problem if you decide to keep the documentation 
on the server. 

In examining an unpatched Cold Fusion Application Server it became 
apparent that in addition to reading and deleting files, web users also 
have the ability to upload (potentially executable) files to the server. 

A cursory survey of many large corporate and e-commerce sites using Cold 
Fusion turned up many vulnerable servers. The purpose of this advisory is 
to stress how important it is to use the patch that Allaire provides or 
take other measures to prevent web users from accessing this security 
hole.


II. Details

By default, the Cold Fusion application server install program installs 
sample code as well as online documentation. As part of this collection 
is a utility called the "Expression Evaluator". The purpose of this 
utility is to allow developers to easily experiment with Cold Fusion 
expressions. It is even allows you to create a text file on your local 
machine and then upload it to the application server in order to 
evaluate it. This utility is supposed to be limited to the localhost. 

There are basically 3 important files in this exploit that any web user 
can access by default: "/cfdocs/expeval/openfile.cfm", 
"/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm". 
The first one lets you upload a file via a web form. The second one saves 
the file to the server. The last file reads the uploaded file, displays 
the contents of the file in a web form and then deletes the uploaded file. 

The Phrack article and the advisory from Allaire relate to "exprcalc.cfm". 
A web user can choose to view and delete any file they want. To view and 
delete a file like "c:\winnt\repair\setup.log" you would use a URL like: 
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log 

This exploit can be taken a step further. First go to: 
http://www.server.com/cfdocs/expeval/openfile.cfm 

Select a file to upload from your local machine and submit it. You will 
then be forwarded to a web page displaying the contents of the file you 
uploaded. The URL will look something like: 
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt 

Now replace the end of the URL where it shows ".\myfile.txt" with 
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web 
users can now use "openfile.cfm" to upload files to the web server 
without them being deleted. With some knowledge of Cold Fusion a web user 
can upload a Cold Fusion page that allows them to browse directories on 
the server as well as upload, download and delete files. Arbitrary 
executable files could placed anywhere the Cold Fusion service has 
access. Web users are not restricted to the web root. 

Frequently, Cold Fusion developers use Microsoft Access databases to 
store information for their web applications. If the described 
vulnerability exists on your server, these database files could 
potentially be downloaded and even overwritten with modified copies. 

The most concerning aspect of this vulnerability is that with a text 
editor and a web browser, web users are able to download password files, 
other confidential information and even upload executable files to a web 
server.

III. Solution

Allaire has posted a patch to this vulnerability. This is currently 
available at:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
In addition to this, it is recommended that the documentation and 
example code not be stored on production servers.

For specific questions about this advisory, please contact 
kklinsky@themerge.com



---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------

------------------------------------------------------------------------------------

Date: Wed, 21 Apr 1999 08:43:08 -0500
From: Weld Pond <weld@L0PHT.COM>
To: BUGTRAQ@netspace.org
Subject: L0pht Security Advisory: Cold Fusion App Server

Although this vulnerability has been known for a while we think it is
worse than originally thought. Users can upload and potentially execute
files on the web server. Furthermore, few sites seem to have fixed the
problem. Major commercial, government, and military sites have been found
to still be vulnerable.  We hope this advisory helps get the word out to
all those webmasters.

-weld