There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.
If you haven't heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter. Without special encoding the vulnerability will let you grab any file ending in .xml, but by adding a %00 to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page. This means that no authentication is required to pull this off. The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section. In turn the XML files aren't really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with. The flaw is that the code calling the file uses user input to decide which file to grab, but doesn't properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on. As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive. Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily). Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.
The patches provided by Adobe for the problem are quite simple, and in most cases shouldn't even require a restart of the ColdFusion services. The impact of the vulnerability is huge. As Rafal Los, who rightfully calls this a "Disaster", points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.
Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.
As we have been working with and hosting ColdFusion since version 5, we understand how most CF developers work, and how poorly the servers are administered in most installations. In his post, Rafal Los offers some Google dorks for finding CF servers, and states that "There is really no legitimate reason to have a ColdFusion Admin interface on the public internet" really, I can't think of one, yet there are many results!. So why are there so many results?
It is a combination of factors, laziness I'm sure being close to the top of the list, but there are others. The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the '/CFIDE/' directory. This directory has other directories inside of it which are used by CF for things like form validation, Ajax, rendering of graphs, etc. and as such some applications stop working if the CFIDE directory does not exist, so it must be mapped as a virtual directory in most cf websites.
Often it is the webmaster or developer who is setting up and managing the ColdFusion server and who usually has very little knowledge of server security and limited knowledge of the ColdFusion Administrator and its associated security issues or the CFIDE requirements in an application, even if a real server admin is involved his knowledge of ColdFusion will be little to none.
Thankfully Adobe has finally released a Lockdown Guide written by Pete Freitag which is well done, and I hope is somewhat due to all the advice and feedback I have given Adobe over the years in this dept. I just hope people read and follow it.
Another problem is those older versions for which no patch is forthcoming. CF developers are very wary of changing the version of CF their application currently works on. Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources. This means that there are now a lot of old applications which are on old versions of CF.
If you run a CF server then you should install the patches and lock down access to your ColdFusion Administrator.
If you have a CFIDE vDir mapped to your sites, DO NOT use the original folder, take a copy of the CFIDE, put it somewhere else and delete the ADMINISTRATOR and ADMINAPI folders, now use this copy for your virtual directories. I have various old CF security and lockdown articles on this blog which you may want to take a look at.
Aug 24, 2010 at 3:24 AM Really nice post, its good to see the lock down guide.