| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Dec 2006 09:33:35 -0500 From: "Darren Bounds" <dbounds@...il.com> To: "Brett Moore" <brett.moore@...urity-assessment.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [SBDA] - ColdFusion MX7 - Multiple Vulnerabilities Brett, With regard to the first item, you realize that this item is completely mitigated when a global error handler is defined, correct? Without a global error handler, there's a hell of a lot more information than that what you've mentioned available for the picking. This is very well documented. Darren On 12/10/06, Brett Moore <brett.moore@...urity-assessment.com> wrote: > Just clearing stuff out before Christmas. > > ======================================================================== > = ColdFusion MX7 - Multiple Vulnerabilities > = > = Vendor Website: > = http://www.Adobe.com > = > = Affected Software: > = ColdFusion MX7 (and possibly MX6) > = > = Public disclosure on Monday December 11, 2006 > ======================================================================== > > == Overview == > > This advisory discloses three separate security issues in ColdFusion > MX7. > > * Server Path Disclosure * > > It is possible to cause the server to disclose the local path by making > an invalid request. This information could be used to aide in other file > or path based attacks. > > The request must be for an existing file, that has an extension not > handled by the web server. (ie: not asp,aspx). > > The request must be terminated with either of the following; > /.jws > /.cfm > /.cfml > /.cfc > > Some example requests are; > http://serverip/page1.htm/a.cfm > http://serverip/CFIDE/administrator/analyzer/img/minus.gif/a.cfm > http://serverip/jrunscripts/jrun.ini/a.cfm > http://serverip/jrunscripts/jrunserver.store/a.cfm > http://serverip/jrunscripts/readme.txt/a.cfm > > This has been confirmed against installs that do NOT have debugging or > robust exception information turned on. > > Sending a request in this format returns a message similar to; > Error parsing the Tag Library Descriptor > file:/d:/sekretpath/hidden/page1.htm/.. > > * Internal IP Address Disclosure * > > It is possible to cause the server to disclose the internal network IP > address of the host. This information could be used to aide in other > network based attacks. > > Making a request to the /CFIDE/administrator/login.cfm page WITHOUT > supplying a host, will result in the internal IP address of the > server to be disclosed as part of an href tag. > > ------------------------------------------------------------------ > GET /CFIDE/administrator/login.cfm HTTP/1.0 > > > HTTP/1.1 200 OK > Server: Microsoft-IIS/5.1 > Date: Thu, 09 Nov 2006 05:44:02 GMT > > <html> > <head> > <LINK REL="SHORTCUT ICON" > href="http://INTERNALADDRESS:80/CFIDE/administrator/favicon.ico"> > > ------------------------------------------------------------------ > > * Cross Site Scripting Protection Bypass * > > ColdFusion MX7 appears to have built in protection against cross > site scripting attacks, and will replace <script> tags with > <invalid tag>. > > Example URL that is converted to a 'safe' format; > > http://server/CFIDE/componentutils/cfcexplorer.cfc? > method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator& > path=/cfide/adminapi/administrator.cfctest"> > <script>alert()</script> > > By inserting a %00 within the <script> tag, it is possible to still > conduct cross site scripting attacks against users of > Internet Explorer. > > Example URL that will have script executed; > > http://server/CFIDE/componentutils/cfcexplorer.cfc? > method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator& > path=/cfide/adminapi/administrator.cfctest"> > <%00script>alert(document.domain)</script> > > == Solutions == > > Currently, the issues outlined in the report are being considered for > the next major version of ColdFusion - the release date is currently not > > finalized. There is currently no plan to release security bulletins for > any of the issues from the report > > == Credit == > > Discovered and advised to Adobe November 11, 2006 by Brett Moore of > Security-Assessment.com > > == About Security-Assessment.com == > > Security-Assessment.com is Australasia's leading team of Information > Security consultants specialising in providing high quality Information > Security services to clients throughout the Asia Pacific region. Our > clients include some of the largest globally recognised companies in > areas such as finance, telecommunications, broadcasting, legal and > government. Our aim is to provide the very best independent advice and > a high level of technical expertise while creating long and lasting > professional relationships with our clients. > > Security-Assessment.com is committed to security research and > development, and its team continues to identify and responsibly publish > vulnerabilities in public and private software vendor's products. > Members of the Security-Assessment.com R&D team are globally recognised > through their release of whitepapers and presentations related to new > security research. > > Security-Assessment.com is an Endorsed Commonwealth Government of > Australia supplier and sits on the Australian Government > Attorney-General's Department Critical Infrastructure Project panel. > We are certified by both Visa and MasterCard under their Payment > Card Industry Data Security Standard Programs. > -- Thank you, Darren Bounds _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists