Bugtraq mailing list archives
ColdFusion File Upload Exploit (fwd)
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 14 Sep 1998 20:23:41 -0500
---------- Forwarded message ---------- Date: Mon, 14 Sep 1998 12:12:23 -0600 From: INFO2000 TECH <colby () INFO2000 NET> To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: ColdFusion File Upload Exploit The following message was posted to the Allaire's COLD FUSION forums: As previously noticed in the thread: http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293 By default, on Windows NT installations, the CF function, GetTempDirectory returns C:\WINNT. This can be exploited with the "Coffe Valley Document Library", included in the Cold Fusion Installation Examples. This allows users to upload arbitrary files to the C:\WINNT directory. THIS IS A SECURITY RISK. C:\WINNT is the second item in the default WindowsNT path, and this exploit can be used to introduce trojans into this directory. Even though the Coffe Valley example uses the CFFILE attribute "MakeUnique", which will not overwrite existing files with the uploaded-filename, there is still a security risk in that new executables and DLLs can be introduced. On a smaller note, the file system could be filled up with garbage files. WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User Environment Variable, but should also be set as a System Environment Variable. It would also be a really good idea to disable public access to the /CFDOCS directory on any machine running Cold Fusion (as this is where the Example Applications reside) This is a "feature" of CF 3.x AND CF 4.0, AND this bug has been reported as a "benign" bug on the Beta Forums...
Current thread:
- ColdFusion File Upload Exploit (fwd) Aleph One (Sep 14)
- <Possible follow-ups>
- Re: ColdFusion File Upload Exploit (fwd) David LeBlanc (Sep 15)
- Re: ColdFusion File Upload Exploit (fwd) - correction David LeBlanc (Sep 15)