Difference between revisions of "ColdFusion Security Threats"
(→Steps to protect your server) |
|||
Line 1: | Line 1: | ||
Details and resolutions for ColdFusion security threats. | Details and resolutions for ColdFusion security threats. | ||
− | ==2013 | + | ==2013-01-04 Scheduler Vulnerability== |
This vulnerability allows a remote attacker to schedule a ColdFusion task that saves the result into a '''.cfm''' file. The resulting '''.cfm''' file is then used by the attacker to compromise the system. | This vulnerability allows a remote attacker to schedule a ColdFusion task that saves the result into a '''.cfm''' file. The resulting '''.cfm''' file is then used by the attacker to compromise the system. |
Revision as of 19:45, 4 January 2013
Details and resolutions for ColdFusion security threats.
2013-01-04 Scheduler Vulnerability
This vulnerability allows a remote attacker to schedule a ColdFusion task that saves the result into a .cfm file. The resulting .cfm file is then used by the attacker to compromise the system.
Details
Charlie Arehart (an Adobe Community Professional - not affiliated with Hostek) detailed this vulnerability in the following blog posts:
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat
Steps to protect your server
This vulnerability is only possible if the remote attacker can access the /CFIDE/administrator/ or /CFIDE/adminapi/ directories.
The following batch script (Requires IIS7 or above) disables access to those folders using the Request Filtering module in IIS. This script assumes that you have a site named CFAdmin with restricted access that you will use to access the ColdFusion Administrator. The CFAdmin site will be excluded from the URL restrictions. For ColdFusion VPS servers configured by Hostek, that site should already exist and have IP Restrictions preventing unauthorized access. After you run this script, that site will be the only point of entry into the ColdFusion Administrator.
NOTE: Run the following script by placing it in a file named SecureCFAdmin.bat and executing it.
C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='/CFIDE/administrator/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /denyUrlSequences.[sequence='/CFIDE/administrator/'].lockItem:True /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='/CFIDE/adminapi/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /denyUrlSequences.[sequence='/CFIDE/adminapi/'].lockItem:True /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config "CFAdmin" -section:system.webServer/security/requestFiltering /-"denyUrlSequences.[sequence='/CFIDE/administrator/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config "CFAdmin" -section:system.webServer/security/requestFiltering /-"denyUrlSequences.[sequence='/CFIDE/adminapi/']" /commit:apphost
After the script is successfully executed, you should test accessing the /CFIDE/administrator/ directory from underneath one of your websites (example: http://yourdomain.com/CFIDE/administrator/index.cfm). You should receive an error similar to the following:
HTTP Error 404.5 - Not Found The request filtering module is configured to deny the URL sequence