procheckup logo
sidebar_boxes_image

Contact Us

Find out more information about ProCheckUp click here.


sidebar_boxes_image

Services

Find out more about ProCheckUp services here.


sidebar_boxes_image

Events

  • PCI DSS User Group meeting

    Neira Jones will be speaking on Barclaycards current approach to PCI and offering advice and guidance to merchants.

Click here to see more events.

Vulnerabilities 2010


PR10-07 Unauthenticated File Retrieval (traversal) within ColdFusion administration console


  • Advisory publicly released: Wednesday, 11 August 2010
  • Vulnerability found: Saturday, 17 April 2010
  • Vendor informed: Monday, 19 April 2010
  • Vulnerability fixed: Tuesday, 10 August 2010
  • Severity level: High
  • Credits
    Richard Brain of ProCheckUp Ltd (www.procheckup.com)
  • Description
    Adobe ColdFusion is a easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
    Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6. Procheckup has also confirmed the flaw exists on Linux.
    Defaults were chosen with "server contained installation" "like the earlier versions", and all subcomponents.
    ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. Procheckup recommends however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have found the filtering can be bypassed.

    Versions tested and found vulnerable
    ColdFusion MX7 7,0,0,91690 base patches
    ColdFusion MX8 8,0,1,195765 base patches
    ColdFusion MX8 8,0,1,195765 with Hotfix4

    Consequences:
    Arbitrary files can be retrieved from the target server, no authentication is required to exploit this vulnerability.
  • Proof of concept
    The following demonstrate the traversal flaw:
    *The exploit strings will be published within seven days
  • How to fix
    Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.

    See http://www.adobe.com/support/security/bulletins/apsb10-18.html

    ColdFusion 9
    1. Download CFIDE-9.zip from Adobe.
    2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
    3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
    Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
    4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
    5. Restart all the ColdFusion instances.

    ColdFusion 8.0.1
    1. Download CFIDE-801.zip from Adobe.
    2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
    3. Extract the files in CFIDE-801.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
    Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
    4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
    5. Restart all the ColdFusion instances.

    ColdFusion 8.0
    1. Download CFIDE-8.zip from Adobe.
    2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
    3. Extract the files in CFIDE-8.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
    Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
    4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
    5. Restart all the ColdFusion instances.
  • References

    CVE-2010-2861
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2861

    APSB10-18
    http://www.adobe.com/support/security/bulletins/apsb10-18.html


  • Legal
    Legal:

    Copyright 2010 Procheckup Ltd. All rights reserved.

    Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is
    Not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.