There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.Â If you haven’t heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter.Â Without special encoding the vulnerability will let you grab any file ending in “.xml”, but by adding a “%00” to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page.Â This means that no authentication is required to pull this off.Â The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section.Â In turn the XML files aren’t really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with.Â The flaw is that the code calling the file uses user input to decide which file to grab, but doesn’t properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on.Â AsÂ Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.Â Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily).Â Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.
The patches provided by Adobe for the problem are quite simple, and in most cases shouldn’t even require a restart of the ColdFusion services.Â The impact of the vulnerability is huge.Â As Rafal Los, who rightfully calls this a “Disaster”, points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.
Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.
Now for my confession.Â I’ve been working with (and frustrated by) ColdFusion since version 4.5.Â I understand how CF developers work, and how poorly the servers are administered in most installations.Â In his post, Rafal Los offers some Google dorks for finding CF servers, and states that “There is really no legitimate reason to have a ColdFusion Admin interface on the public internet … really, I can’t think of one… yet there are many results!”.Â So why are there so many results?
It is a combination of factors, laziness I’m sure being close to the top of theÂ list, but there are others.Â The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the “/CFIDE/” directory.Â This directory has other directories inside of it which are used by CF for things like form validation, rendering of graphs, etc. and as such some applications stop working if the entire directory is locked down.Â This means having the administrator (who may know nothing about ColdFusion) has to try to lock down the directories individually (in Adobe’s defense, the most recent version has a Lockdown Guide written by Pete Freitag which is well done).Â I think the security of ColdFusion has suffered as a result of this mixture of programming functionality and server administration.
Another problem is those older versions for which no patch is forthcoming.Â CF developers are very wary of changing the version of CF their application currently works on.Â Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.Â This means that there are now a lot of old applications which are on old versions of CF.
Unfortunately, ColdFusion is starting (well, continuing) to look a lot like PHP for its reputation in security circles.Â Like PHP, CFML is easy to pick up, and makes it very easy to write applications.Â It also makes it very easy to write insecure applications.Â Most CF sites are vulnerable to SQLi, XSS, and LFI, much like PHP.Â Now with a vulnerability like this in the core of ColdFusion, I can’t say the reputation it is gaining isn’t deserved.