L0pht Security Advisory
-------------
URL Origin: http://www.l0pht.com/advisories.html
Release Date: April 20th, 1999
Application: Cold Fusion Application Server
Severity: Web users can download, delete and even upload
executable files to a Cold Fusion server. Access
is not limited to files under the web root.
Author: kklinsky@themerge.com
Operating Sys: All platforms
-------------
I. Description
In issue 54, volume 8 of Phrack Magazine dated December 25, 1998,
rain.forest.puppy <rfpuppy@iname.com> describes a security problem with
installations of Cold Fusion Application Server when the online
documentation is installed. The online documentation is installed by
default. According to Phrack, the vulnerability allows web users to view
files anywhere on the server.
On February 4, 1999, Allaire posted a fix on their web site
(www.allaire.com) and also recommend that documentation not be stored
on production servers. They also acknowledge that the hole allows web
users to read and also delete files on the server. The patch
successfully fixes the problem if you decide to keep the documentation
on the server.
In examining an unpatched Cold Fusion Application Server it became
apparent that in addition to reading and deleting files, web users also
have the ability to upload (potentially executable) files to the server.
A cursory survey of many large corporate and e-commerce sites using Cold
Fusion turned up many vulnerable servers. The purpose of this advisory is
to stress how important it is to use the patch that Allaire provides or
take other measures to prevent web users from accessing this security
hole.
II. Details
By default, the Cold Fusion application server install program installs
sample code as well as online documentation. As part of this collection
is a utility called the "Expression Evaluator". The purpose of this
utility is to allow developers to easily experiment with Cold Fusion
expressions. It is even allows you to create a text file on your local
machine and then upload it to the application server in order to
evaluate it. This utility is supposed to be limited to the localhost.
There are basically 3 important files in this exploit that any web user
can access by default: "/cfdocs/expeval/openfile.cfm",
"/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm".
The first one lets you upload a file via a web form. The second one saves
the file to the server. The last file reads the uploaded file, displays
the contents of the file in a web form and then deletes the uploaded file.
The Phrack article and the advisory from Allaire relate to "exprcalc.cfm".
A web user can choose to view and delete any file they want. To view and
delete a file like "c:\winnt\repair\setup.log" you would use a URL like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log
This exploit can be taken a step further. First go to:
http://www.server.com/cfdocs/expeval/openfile.cfm
Select a file to upload from your local machine and submit it. You will
then be forwarded to a web page displaying the contents of the file you
uploaded. The URL will look something like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt
Now replace the end of the URL where it shows ".\myfile.txt" with
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web
users can now use "openfile.cfm" to upload files to the web server
without them being deleted. With some knowledge of Cold Fusion a web user
can upload a Cold Fusion page that allows them to browse directories on
the server as well as upload, download and delete files. Arbitrary
executable files could placed anywhere the Cold Fusion service has
access. Web users are not restricted to the web root.
Frequently, Cold Fusion developers use Microsoft Access databases to
store information for their web applications. If the described
vulnerability exists on your server, these database files could
potentially be downloaded and even overwritten with modified copies.
The most concerning aspect of this vulnerability is that with a text
editor and a web browser, web users are able to download password files,
other confidential information and even upload executable files to a web
server.
III. Solution
Allaire has posted a patch to this vulnerability. This is currently
available at:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
In addition to this, it is recommended that the documentation and
example code not be stored on production servers.
For specific questions about this advisory, please contact
kklinsky@themerge.com
---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------
------------------------------------------------------------------------------------
Date: Wed, 21 Apr 1999 08:43:08 -0500
From: Weld Pond <weld@L0PHT.COM>
To: BUGTRAQ@netspace.org
Subject: L0pht Security Advisory: Cold Fusion App Server
Although this vulnerability has been known for a while we think it is
worse than originally thought. Users can upload and potentially execute
files on the web server. Furthermore, few sites seem to have fixed the
problem. Major commercial, government, and military sites have been found
to still be vulnerable. We hope this advisory helps get the word out to
all those webmasters.
-weld