lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 3 Aug 2005 17:04:23 -0700 (PDT)
From: steven@...ebug.org
To: version5@...il.com, bugtraq@...urityfocus.com
Subject: Re: Coldfusion Fusebox V4.1.0 Vulnerability



List of people you could have contacted with regarding the bug:

http://www.fusebox.org/index.cfm?fuseaction=fusebox.teamfusebox

Forum full of users and site staff that you could have
contacted/questioned about the bug:

http://www.fusebox.org/forums/



Steven


----- Original Message -----
From: "N.N.P" <version5@...il.com>
To: <bugtraq@...urityfocus.com>
Sent: Wednesday, August 03, 2005 4:19 AM
Subject: Coldfusion Fusebox V4.1.0 Vulnerability


This was discovered by myself over the weekend. I cant find out what
versions of fusebox this vulnerability is in but seeing as it affects
the main fusebox page I can only assume it is the latest v4.1.0 and
possibly some older versions.

According to the Fusebox site,

What is Fusebox?
Fusebox is a standard framework for building web-based applications.

Basically the "fusebox" takes all requests for actions such as
searching, login etc etc on a site and passes it off to the relevant
script (check out their site for more info). Normally you see
something like

[code]
http://www.fusebox.org/index.cfm?fuseaction=fusebox.overview[/code]

Basically this vulnerability allows the execution of JS. For example

http://www.site.org/index.cfm?fuseaction="><script>document.location="http://silentcode.net"</script>

Im sure if anyone feels like screwing around with it im sure you'll
find some other interesting problems with it, the thing is like swiss
cheese ; )

Comments and critisisms are welcome.

Comments:
Some sites using fusebox are not vulnerable. It appears to be possible
to set a standard page for errors and some filter out the script tags.
Also some will work with redirects and normal alert boxes but will
filter out document.cookie. In cases like these it often proves useful
to leave in the actual fuseaction. This helps avoid the error in some
cases. e.g
http://www.site.org/index.cfm?fuseaction=fusebox.overview"><script>alert(document.cookie)</script><

Usage:
The main usage of this vulnerability would be cookie stealing. This is
achieved by redirecting the user to a php script on a site you control
with the users cookie as a parameter to the script. Then to avoid
raising suspicions redirect them back to the page they thought they
were accessing. Google "cookie stealing" for more info.

Fix:
Filtering all input to the fusebox correctly should solve this. As
well as that setting it to surpress errors and having a default error
page should also help.

Googling for allinurl:/index.cfm?fuseaction= will give you an idea of
how many sites are possibly vulnerable.

Enjoy,
NNP

As a side note, if the server isnt set to surpress errors you can get
some interesting info such as full path disclosure etc by passing in
special characters such as ?

e.g https://site.com/index.cfm?fuseaction=?

If you want to see an example of what i mean have a look on
http://silentcode.net/community

I've posted a vulnerable site there.
-- 
http://silentcode.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ