Difference between revisions of "ColdFusion Security Threats"
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Details | + | Details and resolutions for ColdFusion security threats. |
− | ==2013 | + | ==2013-01-04 ColdFusion Scheduler Vulnerability== |
− | This vulnerability allows a remote attacker to schedule a ColdFusion task | + | This vulnerability allows a remote attacker to schedule a ColdFusion task that saves the result into a '''.cfm''' file. The resulting '''.cfm''' file is then used by the attacker to compromise the system. |
===Details=== | ===Details=== | ||
Line 17: | Line 17: | ||
This vulnerability is only possible if the remote attacker can access the '''/CFIDE/administrator/''' or '''/CFIDE/adminapi/''' directories. | This vulnerability is only possible if the remote attacker can access the '''/CFIDE/administrator/''' or '''/CFIDE/adminapi/''' directories. | ||
− | The following batch script ('''Requires IIS7 or above''') disables access to those folders using the '''Request Filtering''' module in IIS. This script assumes that you have a site named '''CFAdmin''' with restricted access that you will use to access the ColdFusion Administrator. For ColdFusion VPS servers configured by Hostek, that site should already exist and have IP Restrictions preventing unauthorized access. After you run this script, that site will be the only point of entry into the ColdFusion Administrator. | + | The following batch script ('''Requires IIS7 or above''') disables access to those folders using the '''Request Filtering''' module in IIS. This script assumes that you have a site named '''CFAdmin''' with restricted access that you will use to access the ColdFusion Administrator. The '''CFAdmin''' site will be excluded from the URL restrictions. For ColdFusion VPS servers configured by Hostek, that site should already exist and have IP Restrictions preventing unauthorized access. After you run this script, that site will be the only point of entry into the ColdFusion Administrator. |
Line 31: | Line 31: | ||
− | After the script is successfully executed, you should test accessing the '''/CFIDE/administrator/''' directory from underneath one of your websites (example: '''http://yourdomain.com/CFIDE/administrator/index.cfm'''). You should receive an error similar to the following: | + | After the script is successfully executed, you should test accessing the '''/CFIDE/administrator/''' directory from underneath one of your websites (example: '''<nowiki>http://yourdomain.com/CFIDE/administrator/index.cfm</nowiki>'''). You should receive an error similar to the following: |
HTTP Error 404.5 - Not Found | HTTP Error 404.5 - Not Found | ||
The request filtering module is configured to deny the URL sequence | The request filtering module is configured to deny the URL sequence | ||
+ | ===Securing ColdFusion on Apache httpd=== | ||
+ | If you run Apache (httpd) instead of IIS, then you secure access to ColdFusion by adding the following to your Apache configuration file (httpd.conf or http.conf): | ||
+ | <pre> | ||
+ | <LocationMatch "/CFIDE/administrator/"> | ||
+ | order deny,allow | ||
+ | deny from all | ||
+ | #allow from local and your IP | ||
+ | allow from 127.0.0.1 | ||
+ | allow from 123.213.132.231 | ||
+ | </LocationMatch> | ||
+ | |||
+ | <LocationMatch "/CFIDE/adminapi"> | ||
+ | order deny,allow | ||
+ | deny from all | ||
+ | #allow from local and your IP | ||
+ | allow from 127.0.0.1 | ||
+ | allow from 123.213.132.231 | ||
+ | </LocationMatch> | ||
+ | |||
+ | <LocationMatch "/CFIDE/componentutils"> | ||
+ | order deny,allow | ||
+ | deny from all | ||
+ | #allow from local and your IP | ||
+ | allow from 127.0.0.1 | ||
+ | allow from 123.213.132.231 | ||
+ | </LocationMatch></pre> | ||
+ | |||
+ | Be sure to replace '''123.213.132.231''' with [https://hostek.com/ip/ your actual IP address]. Once finished, save the file then restart Apache httpd. | ||
+ | |||
+ | ==2011-06-14 ColdFusion CSRF Vulnerability== | ||
+ | This vulnerability is described in [http://www.adobe.com/support/security/bulletins/apsb11-14.html APSB11-14] and [http://www.adobe.com/support/security/bulletins/apsb11-15.html APSB11-15] and could lead to cross-site request forgeries (CSRF) and denial of service (DoS) attacks. | ||
+ | ===Related ColdFusion Error: ''CFWindow - There was an error while validation''=== | ||
+ | If your code uses '''CFWindow''', you may encounter the following error after applying this update: <pre>CFWindow - There was an error while validation | ||
+ | CFContainerID: Invalid input. Please conform to regex ^[\p{Alnum}_\-\.:]+$ with a maximum length of 100</pre> | ||
+ | |||
+ | Based on the regular expression added by the security update, the following characters are allowed for the '''name''' attribute of the '''CFWindow''' tag: | ||
+ | <ul> | ||
+ | <li>Letters '''(a through z and A through Z)'''</li> | ||
+ | <li>Numbers '''(0 through 9)'''</li> | ||
+ | <li>Underscore '''(_)'''</li> | ||
+ | <li>Dash '''(-)'''</li> | ||
+ | <li>Period '''(.)'''</li> | ||
+ | <li>Colon '''(:)'''</li> | ||
+ | </ul> | ||
+ | |||
+ | Most notably, '''spaces''', '''angle brackets''', and '''slashes''' are '''not''' allowed. Any characters that are not included above must be removed/replaced to avoid the error. | ||
+ | |||
+ | [[Category:ColdFusion]] | ||
[[Category:ColdFusion-VPS]] | [[Category:ColdFusion-VPS]] |
Latest revision as of 19:05, 23 April 2014
Details and resolutions for ColdFusion security threats.
Contents
2013-01-04 ColdFusion Scheduler Vulnerability
This vulnerability allows a remote attacker to schedule a ColdFusion task that saves the result into a .cfm file. The resulting .cfm file is then used by the attacker to compromise the system.
Details
Charlie Arehart (an Adobe Community Professional - not affiliated with Hostek) detailed this vulnerability in the following blog posts:
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat
Steps to protect your server
This vulnerability is only possible if the remote attacker can access the /CFIDE/administrator/ or /CFIDE/adminapi/ directories.
The following batch script (Requires IIS7 or above) disables access to those folders using the Request Filtering module in IIS. This script assumes that you have a site named CFAdmin with restricted access that you will use to access the ColdFusion Administrator. The CFAdmin site will be excluded from the URL restrictions. For ColdFusion VPS servers configured by Hostek, that site should already exist and have IP Restrictions preventing unauthorized access. After you run this script, that site will be the only point of entry into the ColdFusion Administrator.
NOTE: Run the following script by placing it in a file named SecureCFAdmin.bat and executing it.
C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='/CFIDE/administrator/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /denyUrlSequences.[sequence='/CFIDE/administrator/'].lockItem:True /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='/CFIDE/adminapi/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /denyUrlSequences.[sequence='/CFIDE/adminapi/'].lockItem:True /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config "CFAdmin" -section:system.webServer/security/requestFiltering /-"denyUrlSequences.[sequence='/CFIDE/administrator/']" /commit:apphost C:\Windows\system32\inetsrv\appcmd.exe set config "CFAdmin" -section:system.webServer/security/requestFiltering /-"denyUrlSequences.[sequence='/CFIDE/adminapi/']" /commit:apphost
After the script is successfully executed, you should test accessing the /CFIDE/administrator/ directory from underneath one of your websites (example: http://yourdomain.com/CFIDE/administrator/index.cfm). You should receive an error similar to the following:
HTTP Error 404.5 - Not Found The request filtering module is configured to deny the URL sequence
Securing ColdFusion on Apache httpd
If you run Apache (httpd) instead of IIS, then you secure access to ColdFusion by adding the following to your Apache configuration file (httpd.conf or http.conf):
<LocationMatch "/CFIDE/administrator/"> order deny,allow deny from all #allow from local and your IP allow from 127.0.0.1 allow from 123.213.132.231 </LocationMatch> <LocationMatch "/CFIDE/adminapi"> order deny,allow deny from all #allow from local and your IP allow from 127.0.0.1 allow from 123.213.132.231 </LocationMatch> <LocationMatch "/CFIDE/componentutils"> order deny,allow deny from all #allow from local and your IP allow from 127.0.0.1 allow from 123.213.132.231 </LocationMatch>
Be sure to replace 123.213.132.231 with your actual IP address. Once finished, save the file then restart Apache httpd.
2011-06-14 ColdFusion CSRF Vulnerability
This vulnerability is described in APSB11-14 and APSB11-15 and could lead to cross-site request forgeries (CSRF) and denial of service (DoS) attacks.
Related ColdFusion Error: CFWindow - There was an error while validation
If your code uses CFWindow, you may encounter the following error after applying this update:CFWindow - There was an error while validation CFContainerID: Invalid input. Please conform to regex ^[\p{Alnum}_\-\.:]+$ with a maximum length of 100
Based on the regular expression added by the security update, the following characters are allowed for the name attribute of the CFWindow tag:
- Letters (a through z and A through Z)
- Numbers (0 through 9)
- Underscore (_)
- Dash (-)
- Period (.)
- Colon (:)
Most notably, spaces, angle brackets, and slashes are not allowed. Any characters that are not included above must be removed/replaced to avoid the error.