Solved

ColdFusion upload page hacked

Posted on 2009-05-11
14
385 Views
Last Modified: 2013-12-24
I have a form used to upload files.  Some how someone was able to upload a malicious  .cfm file and deface my website.  It looks like they uploaded a file called tmpfiles.gif.cfm  I tried to upload the same file name and my site wouldn't let me, so how did they do it?

Here is part of the IIS log file

2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /upload.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/cfform.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/masks.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:16 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:28 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:49 W3SVC1 192.168.0.250 GET /uploads/tmpfiles.gif.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:57 W3SVC1 192.168.0.250 POST /uploads/tmpfiles.gif.cfm DirPath=C%3A%5CColdFusion8%5Cruntime%5Cservers%5Ccoldfusion%5CSERVER%2DINF%5Ctemp%5Cwwwroot%2Dtmp%5C 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
<cfif isDefined("FORM.Submit") AND isDefined("FORM.file")> 

        

				<cfset serverPath = GetDirectoryFromPath(GetBaseTemplatePath())>

    			

                <cftry>

                	<!--- Mime Types http://www.w3schools.com/media/media_mimeref.asp --->

                    

                    <cffile action="upload"

                    		filefield="file" 

                            destination="#serverPath#\uploads\" 

                            nameconflict="makeunique" 

                            accept="image/jpeg,image/gif,application/zip,application/pdf,audio/mpeg,video/mpeg,application/msword">

                    

 

                    <cfcatch type="any">   

						<cfset errmsg = "A problem was detected!  File type not allowed!">  

                    </cfcatch> 

                </cftry> 

                

                <cfif isdefined('errmsg')> 

					<cfoutput><h3>#errmsg#</h3></cfoutput>

                <cfelse>

                	<cfoutput><h3>File Received, thank you!</h3></cfoutput>

                 </cfif>

Open in new window

0
Comment
Question by:Kurt4949
14 Comments
 
LVL 19

Expert Comment

by:Jones911
ID: 24360215
I would have thought the accept attribute would limit and stop the .cfm files being uploaded.  To check for this you should check the last . and onwards for the files you need to accept ie make sure its .doc, .pdf etc
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360240
hmm and the messed something up.  Even though my site allows .gif, it won't let me upload.gif anymore.  I'm thinking about reinstalling coldfusion but I want to figure out how they hacked it so it doesn't happen again right after i spend time installing it.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360246
I tried uploading .jpg.cfm and it does indeed stop it so i'm puzzled.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360294
Unfortunately, it is amazingly trivial to do that.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360298
trivial to do what?
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360304
Bypass the accepted mime types
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360319
Care to explain how?  And do you have a better method so they can't bypass mime types?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 52

Expert Comment

by:_agx_
ID: 24360323
Add some checks on the file extension(s) as Jones suggested.  You could also add some additional checks on the files themselves.  Like for example, use IsImage(filePath) to verify a file is really an image, etc..
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360339
Kurt4949,

Personally, I do not like to post easily exploit code.  Though I am sure there is plenty on the web.  If you post your email or an IM account like AIM in your profile, I can send you an explanation.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24360622
0
 
LVL 1

Accepted Solution

by:
boodyguard earned 500 total points
ID: 24369323
If the hacker can lunch the file it means that your upload directory is in the web published directory ?

Try to change this directory outside of the www root to be sure that he can not directly publish it.

You can add some test to the file.extension (search cfm for exemple, look how many . you have) and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380293
> and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

   That does not always help.

> Try to change this directory outside of the www root to be sure that he can not directly publish it.

     That is the better solution
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24380443
I used both of those suggestions.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380548
Good :)  
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The technique is by far very Simple! How we can export the ColdFusion query results to DOC file?  Well before writing this I researched a lot in Internet but did not found a good Answer anyways!  So i thought now i should share my small snippet w…
I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now