Cold Fusion Vulnerabilities

Updated 8/8/01

Impact

Various vulnerabilities in the sample scripts included in Cold Fusion could be exploited to read arbitrary files, upload files, or create a denial of service.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level in this case, refer to the colored dot beside the link to this tutorial on the previous page.

Background

The Cold Fusion Application Server includes online documentation and sample code by default. Included in the sample code is the Expression Evaluator utility, which allows a developer to experiment with Cold Fusion expressions by uploading expressions from a local PC and having the Expression Evaluator evaluate them.

The Problems

Host Filter Bypass Exposes Vulnerabilities in Example Apps

Cold Fusion comes with a number of optional example applications. Since the example applications are intended only to be used to assist developers, they contain a host filter to prevent access by hosts other than the local host. However, the filter is based on an HTTP variable which is sent by the web browser and can be easily falsified, thus allowing an attacker to bypass the filter.

The vulnerability in the host filter exposes vulnerabilities in two of the example applications that could allow a remote attacker to execute commands or read files on the server. The Web Publishing application, found in /cfdocs/exampleapp/publish, could allow an attacker to upload files containing arbitrary commands, which could then be executed from a web browser. The E-mail application, found in /cfdocs/exampleapp/email, could allow an attacker to e-mail any file to any e-mail address, thus gaining the ability to read any file.

Cold Fusion versions prior to 5.0 are affected by this vulnerability. Cold Fusion 5.0 and higher are not affected because they use an improved method of checking a client's address.

Multiple Vulnerabilities in Versions Prior to 5.0

Multiple vulnerabilities in Cold Fusion versions 2.0 through 4.5.1 SP2 could allow a remote attacker to read or delete arbitrary files on the server, or to replace ColdFusion Server templates with empty files.

Expression Evaluator File Upload

A vulnerability in the Cold Fusion Expression Evaluator utility could allow an attacker to view and delete any file on the system, and to upload files anywhere on the server. The ability to upload executable files makes this vulnerability even more critical.

The file /cfdocs/expeval/exprcalc.cfm is intended to display the file uploaded by the user, and then delete it. However, it can easily be used to display and delete any file on the system. Furthermore, it can even be used to delete itself, so that subsequently uploaded files will not be deleted by the Expression Evaluator, and will remain on the server. Cold Fusion Application Server versions 2.0, 3.0, 3.1, and 4.0 have this vulnerability.

Source code viewing using sourcewindow.cfm

CVE 1999-0922
The example script sourcewindow.cfm allows a remote user to view the source code of any file on the server.

Vulnerabilities in Cold Fusion snippets

Vulnerabilities in several of the sample scripts included in the "snippets" directory could allow an attacker to verify the existence of files on the server, view the source code of Cold Fusion files, or create a denial of service.

Denial of Service in Syntax Checker

CVE 1999-0924
The Syntax Checker is used to check the syntax of Cold Fusion files. By sending a query which instructs it to check the syntax of *.*, a heavy load can be created on the CPU, thus slowing down the response to legitimate requests.

Denial of Service in Start/Stop utility

CVE 1999-0756
Cold Fusion contains a Java applet designed to allow an administrator to start or stop the Cold Fusion service. When Basic Security is enabled, this utility is password-protected, so that only an administrator can use it. However, when Advanced Security is enabled, it overrides the password-protection. This allows any remote user to stop the Cold Fusion service, thus creating a denial of service. Cold Fusion 4.0 and 4.0.1 are affected by this vulnerability if Advanced Security is enabled.

Resolutions

Firstly, upgrade to Cold Fusion 5.0 or higher, or install the patch referenced in Macromedia Product Security Bulletin 01-07. Secondly, online documentation and sample utilities should not be kept on operational web servers. Any files which are not needed should be deleted from the web server. In particular, delete the files and directories which contain vulnerabilities:

If the Expression Evaluator is needed, then either secure the /cfdocs/expeval directory so that it is only accessible by users who require it, or install the patch described in Allaire Security Bulletin 99-01.

If the Start/Stop utility is needed, and Advanced Security is enabled, upgrade to the latest version of Cold Fusion, or use standard Web Server security to restrict startstop.html so that it is only accessible to authorized users.

Where can I read more about this?

More information on the host filter bypass vulnerability, which exposes the vulnerabilities in the Web Publishing and E-mail example applications, can be found in Macromedia Security Bulletin 01-08 and an X-Force alert.

More information on the vulnerabilities in Cold Fusion versions prior to 5.0 can be found in Macromedia Product Security Bulletin 01-07.

More information about the Expression Evaluator vulnerability can be found in the L0pht Security Advisory and in Allaire Security Bulletin 99-01.

For more information about the sourcewindow, snippets, and syntax checker vulnerabilities, see Rain Forest Puppy and Allaire Security Bulletin 99-02.

More information about the Start/Stop vulnerability can be found in Allaire Security Bulletin 99-07.