cf40.txt

`Ok, I've had CF 4.0 (eval) for approx. 1 hour now, and here's over a half  
dozen more reasons to not use sample pages:   
  
http://server/cfdocs/exampleapp/docs/sourcewindow.cfm?Template=   
  
--shows you contents of any file you want   
  
http://server/cfdocs/snippets/evaluate.cfm   
  
--if the expression evaluator has local host only security, why is this  
one unprotected? If I knew more CF insides, maybe I could really abuse  
this.   
  
http://server/cfdocs/snippets/fileexists.cfm   
  
--can be used to verify the existance of any file on the same hard drive.  
Granted, it dissallows supplying a drive letter, or starting with \ or /.  
But the following works for me (since I'm on NT, and \inetput\wwwroot is  
on my boot drive): ..\..\..\..\boot.ini   
  
http://server/cfdocs/snippets/gettempdirectory.cfm   
  
--while this is not a security problem in itself, I was QUITE alarmed what  
the results were. Now, my NT installation is a completely generic NT  
install (all I did was practically hit the Next button where-ever  
possible):   
  
GetTempDirectory Example   
  
The temporary directory for this Cold Fusion server is C:\WINNT\.   
  
We have created a temporary file called: C:\WINNT\tes39.tmp   
  
Now why is my \winnt\ my temp directory?!? That means temp files have the  
possibility of screwing with my system files. Granted, this is probably  
just a variable/setting issue. But still alarming.   
  
http://server/cfdocs/snippets/setlocale.cfm   
  
--possibly abusable...it's another eval.   
  
http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\   
  
--allows you to view any .CFM files. It automatically adds the .cfm  
extension, so only CFM files are prey to this.   
  
http://server/cfdocs/cfmlsyntaxcheck.cfm   
  
--I set this to c:\, check *.*, recurse, and it spit out various lists of  
.exe's I had. Also caused the CF server process to spike and stay at 100%  
CPU utilization.   
  
Plus it made two ODBC DSNs for the samples. While this is not a threat at  
all, there are some drawbacks....(information regarding this will be  
released in the future after completion of research).   
  
Speaking of research, this is in no way thorough. Due to lack of resources  
(eval copy running on a p75), I'm only going to mess with the sample  
pages. If anyone wishes to donate materials for better research (Allaire?)  
I'm all ears. :)   
  
Cheers, .rain.forest.puppy.   
  
--------------------------------------------------------------------------  
  
Date: Sat, 6 Feb 1999 09:01:51 +0800  
From: Gilbert Huang <[email protected]>  
To: [email protected]  
Subject: Cold Fusion and NT security advisory  
  
Just received an email from Allaire with the following security advisories:  
  
Expression Evaluator Security Issues  
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full  
  
Cold Fusion 4.0 Example Applications and Sample Code Exposes Servers  
http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full  
  
Microsoft Internet Information Server Exposure of Source Code with '::$DATA'  
http://www.allaire.com/handlers/index.cfm?ID=8729&Method=Full  
  
Multiple SQL Statements in Dynamic Queries  
http://www.allaire.com/handlers/index.cfm?ID=8728&Method=Full  
  
Those of you who use Cold Fusion on your servers should be aware of these  
security breaches.  
  
Cheers!  
Gilbert Huang  
  
`