Solved

ColdFusion upload page hacked

Posted on 2009-05-11
14
391 Views
Last Modified: 2013-12-24
I have a form used to upload files.  Some how someone was able to upload a malicious  .cfm file and deface my website.  It looks like they uploaded a file called tmpfiles.gif.cfm  I tried to upload the same file name and my site wouldn't let me, so how did they do it?

Here is part of the IIS log file

2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /upload.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/cfform.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/masks.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:16 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:28 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:49 W3SVC1 192.168.0.250 GET /uploads/tmpfiles.gif.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:57 W3SVC1 192.168.0.250 POST /uploads/tmpfiles.gif.cfm DirPath=C%3A%5CColdFusion8%5Cruntime%5Cservers%5Ccoldfusion%5CSERVER%2DINF%5Ctemp%5Cwwwroot%2Dtmp%5C 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
<cfif isDefined("FORM.Submit") AND isDefined("FORM.file")> 
        
				<cfset serverPath = GetDirectoryFromPath(GetBaseTemplatePath())>
    			
                <cftry>
                	<!--- Mime Types http://www.w3schools.com/media/media_mimeref.asp --->
                    
                    <cffile action="upload"
                    		filefield="file" 
                            destination="#serverPath#\uploads\" 
                            nameconflict="makeunique" 
                            accept="image/jpeg,image/gif,application/zip,application/pdf,audio/mpeg,video/mpeg,application/msword">
                    
 
                    <cfcatch type="any">   
						<cfset errmsg = "A problem was detected!  File type not allowed!">  
                    </cfcatch> 
                </cftry> 
                
                <cfif isdefined('errmsg')> 
					<cfoutput><h3>#errmsg#</h3></cfoutput>
                <cfelse>
                	<cfoutput><h3>File Received, thank you!</h3></cfoutput>
                 </cfif>

Open in new window

0
Comment
Question by:Kurt4949
14 Comments
 
LVL 19

Expert Comment

by:Jones911
ID: 24360215
I would have thought the accept attribute would limit and stop the .cfm files being uploaded.  To check for this you should check the last . and onwards for the files you need to accept ie make sure its .doc, .pdf etc
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360240
hmm and the messed something up.  Even though my site allows .gif, it won't let me upload.gif anymore.  I'm thinking about reinstalling coldfusion but I want to figure out how they hacked it so it doesn't happen again right after i spend time installing it.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360246
I tried uploading .jpg.cfm and it does indeed stop it so i'm puzzled.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 52

Expert Comment

by:_agx_
ID: 24360294
Unfortunately, it is amazingly trivial to do that.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360298
trivial to do what?
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360304
Bypass the accepted mime types
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360319
Care to explain how?  And do you have a better method so they can't bypass mime types?
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360323
Add some checks on the file extension(s) as Jones suggested.  You could also add some additional checks on the files themselves.  Like for example, use IsImage(filePath) to verify a file is really an image, etc..
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360339
Kurt4949,

Personally, I do not like to post easily exploit code.  Though I am sure there is plenty on the web.  If you post your email or an IM account like AIM in your profile, I can send you an explanation.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24360622
0
 
LVL 1

Accepted Solution

by:
boodyguard earned 500 total points
ID: 24369323
If the hacker can lunch the file it means that your upload directory is in the web published directory ?

Try to change this directory outside of the www root to be sure that he can not directly publish it.

You can add some test to the file.extension (search cfm for exemple, look how many . you have) and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380293
> and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

   That does not always help.

> Try to change this directory outside of the www root to be sure that he can not directly publish it.

     That is the better solution
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24380443
I used both of those suggestions.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380548
Good :)  
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
Sometimes databases have MILLIONS of records and we need a way to quickly query that table to return the results me need. Sure you could use CFQUERY but it takes too long when there are millions of records. That is why SOLR was invented. Please …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question