_________ SWAT MAGAZINE ISSUE TWENTY: AUGUST 1999 __________ / \___________________________________________/ \ / COLD FUSION \ / By Netw0rk Bug bug@netw0rk.freeserve.co.uk \ ---------------------------------------------------------------------- OK then, this information is not that new but I have found that it is not documented that well. Apart from Phrack Magazine and The L0PHT which helped me with information for this article. Not many people seem to be aware of the problems with Cold Fusion, so that is why I am writing this article at this very moment. Basically on a cold Fusion Server, internet users are able to download, delete and even upload files (even executables). Also... Access is not limited to files under the web root. Last Year In Phrack Magazine there is a description of a security problem with installations of Cold Fusion Application Server when the online documentation is installed which is by default. The vulnerability allowed web users to view files anywhere on the server. Allaire posted a fix on their web site (www.allaire.com) and also recommend that documentation not be stored on production servers. They also acknowledge that the hole allows web users to read and also delete files on the server. The patch successfully fixes the problem if you decide to keep the documentation on the server. In examining an unpatched Cold Fusion Application Server it became apparent that in addition to reading and deleting files, web users also have the ability to upload (potentially executable) files to the server. Ok then... The Cold Fusion application server install program installs sample code as well as online documentation by default. As part of this collection is a utility called the "Expression Evaluator". The purpose of this utility is to allow developers to easily experiment with Cold Fusion expressions. It is even allows you to create a text file on your local machine and then upload it to the application server in order to evaluate it. This utility is supposed to be limited to the localhost. There are basically 3 important files in this exploit that any web user can access by default: "/cfdocs/expeval/openfile.cfm", "/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm". The first one lets you upload a file via a web form. The second one saves the file to the server. The last file reads the uploaded file, displays the contents of the file in a web form and then deletes the uploaded file. The Phrack article and the advisory from Allaire relate to "exprcalc.cfm". A web user can choose to view and delete any file they want. To view and delete a file like "c:\winnt\repair\setup.log" you would use a URL like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log This exploit can be taken a step further. First go to: http://www.server.com/cfdocs/expeval/openfile.cfm Select a file to upload from your local machine and submit it. You will then be forwarded to a web page displaying the contents of the file you uploaded. The URL will look something like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt Now replace the end of the URL where it shows ".\myfile.txt" with "ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web users can now use "openfile.cfm" to upload files to the web server without them being deleted. With some knowledge of Cold Fusion a web user can upload a Cold Fusion page that allows them to browse directories on the server as well as upload, download and delete files. Arbitrary executable files could placed anywhere the Cold Fusion service has access. Web users are not restricted to the web root. Frequently, Cold Fusion developers use Microsoft Access databases to store information for their web applications. If the described vulnerability exists on your server, these database files could potentially be downloaded and even overwritten with modified copies. So basically armed with a l33t text editor and web browser you are able to download password files, confidential information and even upload executables. The patch to fix the problem is currebtly available at: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full ---------------------------------------------------------------------- Written By Netw0rk Bug for SWATEAM www.swateam.org AUG'99 If you have any questions or comments then don't hesitate to mail me at " bug@netw0rk.freeserve.co.uk " I would like to hear from anyone, no matter what they have to say. ----------------------------------------------------------------------