L0pht Security Advisory ------------- URL Origin: http://www.l0pht.com/advisories.html Release Date: April 20th, 1999 Application: Cold Fusion Application Server Severity: Web users can download, delete and even upload executable files to a Cold Fusion server. Access is not limited to files under the web root. Author: kklinsky@themerge.com Operating Sys: All platforms ------------- I. Description In issue 54, volume 8 of Phrack Magazine dated December 25, 1998, rain.forest.puppy describes a security problem with installations of Cold Fusion Application Server when the online documentation is installed. The online documentation is installed by default. According to Phrack, the vulnerability allows web users to view files anywhere on the server. On February 4, 1999, Allaire posted a fix on their web site (www.allaire.com) and also recommend that documentation not be stored on production servers. They also acknowledge that the hole allows web users to read and also delete files on the server. The patch successfully fixes the problem if you decide to keep the documentation on the server. In examining an unpatched Cold Fusion Application Server it became apparent that in addition to reading and deleting files, web users also have the ability to upload (potentially executable) files to the server. A cursory survey of many large corporate and e-commerce sites using Cold Fusion turned up many vulnerable servers. The purpose of this advisory is to stress how important it is to use the patch that Allaire provides or take other measures to prevent web users from accessing this security hole. II. Details By default, the Cold Fusion application server install program installs sample code as well as online documentation. As part of this collection is a utility called the "Expression Evaluator". The purpose of this utility is to allow developers to easily experiment with Cold Fusion expressions. It is even allows you to create a text file on your local machine and then upload it to the application server in order to evaluate it. This utility is supposed to be limited to the localhost. There are basically 3 important files in this exploit that any web user can access by default: "/cfdocs/expeval/openfile.cfm", "/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm". The first one lets you upload a file via a web form. The second one saves the file to the server. The last file reads the uploaded file, displays the contents of the file in a web form and then deletes the uploaded file. The Phrack article and the advisory from Allaire relate to "exprcalc.cfm". A web user can choose to view and delete any file they want. To view and delete a file like "c:\winnt\repair\setup.log" you would use a URL like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log This exploit can be taken a step further. First go to: http://www.server.com/cfdocs/expeval/openfile.cfm Select a file to upload from your local machine and submit it. You will then be forwarded to a web page displaying the contents of the file you uploaded. The URL will look something like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt Now replace the end of the URL where it shows ".\myfile.txt" with "ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web users can now use "openfile.cfm" to upload files to the web server without them being deleted. With some knowledge of Cold Fusion a web user can upload a Cold Fusion page that allows them to browse directories on the server as well as upload, download and delete files. Arbitrary executable files could placed anywhere the Cold Fusion service has access. Web users are not restricted to the web root. Frequently, Cold Fusion developers use Microsoft Access databases to store information for their web applications. If the described vulnerability exists on your server, these database files could potentially be downloaded and even overwritten with modified copies. The most concerning aspect of this vulnerability is that with a text editor and a web browser, web users are able to download password files, other confidential information and even upload executable files to a web server. III. Solution Allaire has posted a patch to this vulnerability. This is currently available at: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full In addition to this, it is recommended that the documentation and example code not be stored on production servers. For specific questions about this advisory, please contact kklinsky@themerge.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html --------------- ------------------------------------------------------------------------------------ Date: Wed, 21 Apr 1999 08:43:08 -0500 From: Weld Pond To: BUGTRAQ@netspace.org Subject: L0pht Security Advisory: Cold Fusion App Server Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters. -weld