prodil89 Posted August 14, 2010 Report Posted August 14, 2010 (edited) Adobe ColdFusion's Directory Traversal Disaster The ColdFusion enterprise development platform has had security vulnerabilities before. This is not really surprising that a platform that caters to "super-simple development" ends up with security issues since you can rarely get easy and secure in the same product. In fact, I don't think I've ever seen an enterprise development suite that has figured out how to make software development simple while maintaining some level of security - I'm convinced it's simply not possible. The ColdFusion directory traversal vulnerability has been classified by Adobe as important rather than critical, and I agree with A.P. (Adrian P. of GnuCitizen) that this is a mistake. Here's why I think this is a big mistake ... on top of the excellent analysis Adrian has already done (check his excellent post here) I think it's relevent to do a little digging yourself to understand the full scope of the potential problem. First, let's do a little Google-fu to determine whether there are really ColdFusion administrators who would put their CFAdmin pages (the administrative page for a ColdFusion server) on the Internet. There is really [no legitimate reason to have a ColdFusion Admin interface on the public internet ... really, I can't think of one... yet there are many results! Check out the results for the various admin components: * CFIDE "adminapi" * CFIDE "Administrator" * CFIDE "ComponentUtils" * CFIDE "Wizards" Now, that's a lot of results (at least at the time of this blog post) of mostly wide-open ColdFusion administrative interfaces ...many of them have directory listing turned on - why I can't even begin to explain. What makes this worse is there is a rumor that this attack is actually also executable against other directories - I'm trying to substantiate that... This attack can lead to a full system compromise, so let's make sure we're clear. It's not just that you can poke around the system files of the machine you've attacked (which is highly likely a MS Windows server); it's also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad. So ... should this vulnerability be rated important? My assessment is absolutely not. Look, any system that is built to be "easy to use" (remember Windows?) is one where the user typically expects the vendor (Adobe) to "do the hard stuff for me" right? This thinking most definitely extends into security, and while Adobe has done a good job encrypting database passwords by default, and other little security nuances like not providing a default administrator password ... it's not enough. If you have a ColdFusion server, patch it ...NOW. Otherwise the ColdFusion system you administer is likely to be not your own - and that's not just FUD talking. Good luck out there! Source...... [url=http://h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964]HP Blogs - Adobe ColdFusion's Directory Traversal Disaster - The HP Blog Hub[/url] Edited August 14, 2010 by prodil89 Quote
