Coldfusion security : Top seven ColdFusion Security Issues

This installment discusses the most prevalent security issues with server configurations and application implementations for ColdFusion. Future articles will discuss other security-related topics, both for other sysmox products specifically as well as for general security concepts that should be helpful for developers, server administrators, and others involved in web implementations.

+  Why Should You Care About Security Issues?

1         Coldfusion Directory traversal

2         FCKeditor bug

3         ColdFusion Administrator on Production Servers

4         Unvalidated Browser Input

5         Sample Applications and Documentation on Production Servers

6         CFFILE, CFFTP, and CFPOP

7         ColdFusion Studio and RDS with Production Servers

Please keep in mind that keeping computer security issues at bay can be a full-time job. While these columns seek to provide general education and point out common security issues in implementations, they are not meant as a substitute for a full-time security specialist group or individual in your organization.

Please also remember that when links are provided for reference, they may be advisories not applicable to your server or configuration. Be sure to carefully check whether the fixes and workarounds suggested apply to your configuration before implementing them. Also, be sure to test any patch in a testing environment prior to applying to a production environment.

Why Should You Care About Security Issues?

Security should be everyone’s concern. Over time, the professional security community has learned that the best-implemented security is carried out in a thorough and prevalent manner. If a developer, architect, or designer is not thinking explicitly about security, it simply won’t happen spontaneously.

Additionally, the wild, wild web is literally saturated with motivated attackers just waiting for a juicy target to attack and subvert. To make matters worse, many would-be attackers can find simple, automated “scripts” (automated tools that search for and exploit known security issues) with which to attack and subvert your server(s).

If any standard, well-known security issue is a concern with your server’s configuration, it is only a matter of time before an unknown attacker finds that she can, and does, successfully attack and potentially subvert your systems.

1 – Coldfusion directory traversal:

Variation of a classic directory traversal vulnerability it can be used for arbitrary file retrieval ;  special encoding the bug will let you grab any file ending in “.xml”, but by adding a “%00″  its sophisticated :

Coldfusion security (directory traversal)

The exploit:
http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

If the login admin password was stored hash (Using SHA1 algorithm, similar to CF MX7), the attacker then attempts to crack it via an offline password cracking attack or rainbow table lookup. Note that the default setting in ColdFusion 8 is encrypted=true as per password.properties file. Otherwise. (continue reading…)