SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Adobe ColdFusion Vendors:   Adobe Systems Incorporated
Adobe ColdFusion Bugs Enable Cross-Site Scripting Evasion, Path Disclosure, and Internal Address Disclosure
SecurityTracker Alert ID:  1017361
SecurityTracker URL:  http://securitytracker.com/id/1017361
CVE Reference:   CVE-2006-6482, CVE-2006-6483   (Links to External Site)
Updated:  Mar 13 2007
Original Entry Date:  Dec 11 2006
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): MX 7, possibly MX6
Description:   A vulnerability was reported in Adobe ColdFusion. A remote user can bypass cross-site scripting protections. A remote user can determine the installation path. A remote user can determine the internal IP address.

A remote user can insert a %00 character within a '<script>' tag to bypass cross-site scripting protections.

A demonstration exploit URL is of the following form:

http://[target]/CFIDE/componentutils/cfcexplorer.cfc?
method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
path=/cfide/adminapi/administrator.cfctest">
<%00script>alert(document.domain)</script>

If a global error handler has not been defined, a remote user can submit an invalid request to cause the system to disclose the installation path. A request for an existing file that has a file extension that is not processed by the web server can trigger the flaw. The following extensions can be exploited:

.jws
.cfm
.cfml
.cfc

A remote user can also determine the internal network IP address by making a request to the following page without a host value:

/CFIDE/administrator/login.cfm

The vendor was notified on November 11, 2006.

Brett Moore of Security-Assessment.com discovered these vulnerabilities.

Impact:   A remote user can bypass cross-site scripting protections.

A remote user can determine the installation path.

A remote user can determine the internal IP address.

Solution:   Adobe has issued a fix for the cross-site scripting vulnerability [CVE-2006-6483], available at:

http://download.macromedia.com/pub/security/bulletins/apsb07-06/hf702-65115.zip

No solution was available for the information disclosure vulnerability [CVE-2006-6482] at the time of this entry.

The Adobe advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb07-06.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb07-06.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] [SBDA] - ColdFusion MX7 - Multiple Vulnerabilities

Just clearing stuff out before Christmas.

========================================================================
= ColdFusion MX7 - Multiple Vulnerabilities
=
= Vendor Website:  
= http://www.Adobe.com
=
= Affected Software:
=       ColdFusion MX7 (and possibly MX6)
=
= Public disclosure on Monday December 11, 2006
========================================================================

== Overview ==

This advisory discloses three separate security issues in ColdFusion
MX7.

* Server Path Disclosure * 

It is possible to cause the server to disclose the local path by making 
an invalid request. This information could be used to aide in other file
or path based attacks.

The request must be for an existing file, that has an extension not 
handled by the web server. (ie: not asp,aspx).

The request must be terminated with either of the following;
    /.jws
    /.cfm
    /.cfml
    /.cfc

Some example requests are;
    http://serverip/page1.htm/a.cfm
    http://serverip/CFIDE/administrator/analyzer/img/minus.gif/a.cfm
    http://serverip/jrunscripts/jrun.ini/a.cfm
    http://serverip/jrunscripts/jrunserver.store/a.cfm
    http://serverip/jrunscripts/readme.txt/a.cfm

This has been confirmed against installs that do NOT have debugging or 
robust exception information turned on. 

Sending a request in this format returns a message similar to;
    Error parsing the Tag Library Descriptor
    file:/d:/sekretpath/hidden/page1.htm/..

* Internal IP Address Disclosure *

It is possible to cause the server to disclose the internal network IP
address of the host. This information could be used to aide in other 
network based attacks.

Making a request to the /CFIDE/administrator/login.cfm page WITHOUT 
supplying a host, will result in the internal IP address of the 
server to be disclosed as part of an href tag.

------------------------------------------------------------------
GET /CFIDE/administrator/login.cfm HTTP/1.0


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 09 Nov 2006 05:44:02 GMT

<html>
<head>
<LINK REL="SHORTCUT ICON" 
  href="http://INTERNALADDRESS:80/CFIDE/administrator/favicon.ico">

------------------------------------------------------------------

* Cross Site Scripting Protection Bypass *

ColdFusion MX7 appears to have built in protection against cross 
site scripting attacks, and will replace <script> tags with 
<invalid tag>.

Example URL that is converted to a 'safe' format;

http://server/CFIDE/componentutils/cfcexplorer.cfc?
method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
path=/cfide/adminapi/administrator.cfctest">
<script>alert()</script>

By inserting a %00 within the <script> tag, it is possible to still 
conduct cross site scripting attacks against users of 
Internet Explorer.

Example URL that will have script executed;

http://server/CFIDE/componentutils/cfcexplorer.cfc?
method=getcfcinhtmtestl&name=CFIDE.adminapi.administrator&
path=/cfide/adminapi/administrator.cfctest">
<%00script>alert(document.domain)</script>

== Solutions ==

Currently, the issues outlined in the report are being considered for 
the next major version of ColdFusion - the release date is currently not

finalized. There is currently no plan to release security bulletins for 
any of the issues from the report

== Credit ==

Discovered and advised to Adobe November 11, 2006 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is Australasia's leading team of Information 
Security consultants specialising in providing high quality Information 
Security services to clients throughout the Asia Pacific region. Our 
clients include some of the largest globally recognised companies in 
areas such as finance, telecommunications, broadcasting, legal and 
government. Our aim is to provide the very best independent advice and 
a high level of technical expertise while creating long and lasting 
professional relationships with our clients.

Security-Assessment.com is committed to security research and 
development, and its team continues to identify and responsibly publish 
vulnerabilities in public and private software vendor's products. 
Members of the Security-Assessment.com R&D team are globally recognised 
through their release of whitepapers and presentations related to new 
security research.

Security-Assessment.com is an Endorsed Commonwealth Government of 
Australia supplier and sits on the Australian Government 
Attorney-General's Department Critical Infrastructure Project panel. 
We are certified by both Visa and MasterCard under their Payment 
Card Industry Data Security Standard Programs.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC