Solved

ColdFusion upload page hacked

Posted on 2009-05-11
14
382 Views
Last Modified: 2013-12-24
I have a form used to upload files.  Some how someone was able to upload a malicious  .cfm file and deface my website.  It looks like they uploaded a file called tmpfiles.gif.cfm  I tried to upload the same file name and my site wouldn't let me, so how did they do it?

Here is part of the IIS log file

2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /upload.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/cfform.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/masks.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:16 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:28 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:49 W3SVC1 192.168.0.250 GET /uploads/tmpfiles.gif.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:57 W3SVC1 192.168.0.250 POST /uploads/tmpfiles.gif.cfm DirPath=C%3A%5CColdFusion8%5Cruntime%5Cservers%5Ccoldfusion%5CSERVER%2DINF%5Ctemp%5Cwwwroot%2Dtmp%5C 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
<cfif isDefined("FORM.Submit") AND isDefined("FORM.file")> 

        

				<cfset serverPath = GetDirectoryFromPath(GetBaseTemplatePath())>

    			

                <cftry>

                	<!--- Mime Types http://www.w3schools.com/media/media_mimeref.asp --->

                    

                    <cffile action="upload"

                    		filefield="file" 

                            destination="#serverPath#\uploads\" 

                            nameconflict="makeunique" 

                            accept="image/jpeg,image/gif,application/zip,application/pdf,audio/mpeg,video/mpeg,application/msword">

                    

 

                    <cfcatch type="any">   

						<cfset errmsg = "A problem was detected!  File type not allowed!">  

                    </cfcatch> 

                </cftry> 

                

                <cfif isdefined('errmsg')> 

					<cfoutput><h3>#errmsg#</h3></cfoutput>

                <cfelse>

                	<cfoutput><h3>File Received, thank you!</h3></cfoutput>

                 </cfif>

Open in new window

0
Comment
Question by:Kurt4949
14 Comments
 
LVL 19

Expert Comment

by:Jones911
Comment Utility
I would have thought the accept attribute would limit and stop the .cfm files being uploaded.  To check for this you should check the last . and onwards for the files you need to accept ie make sure its .doc, .pdf etc
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
hmm and the messed something up.  Even though my site allows .gif, it won't let me upload.gif anymore.  I'm thinking about reinstalling coldfusion but I want to figure out how they hacked it so it doesn't happen again right after i spend time installing it.
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
I tried uploading .jpg.cfm and it does indeed stop it so i'm puzzled.
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Unfortunately, it is amazingly trivial to do that.
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
trivial to do what?
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Bypass the accepted mime types
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
Care to explain how?  And do you have a better method so they can't bypass mime types?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Add some checks on the file extension(s) as Jones suggested.  You could also add some additional checks on the files themselves.  Like for example, use IsImage(filePath) to verify a file is really an image, etc..
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Kurt4949,

Personally, I do not like to post easily exploit code.  Though I am sure there is plenty on the web.  If you post your email or an IM account like AIM in your profile, I can send you an explanation.
0
 
LVL 27

Expert Comment

by:azadisaryev
Comment Utility
0
 
LVL 1

Accepted Solution

by:
boodyguard earned 500 total points
Comment Utility
If the hacker can lunch the file it means that your upload directory is in the web published directory ?

Try to change this directory outside of the www root to be sure that he can not directly publish it.

You can add some test to the file.extension (search cfm for exemple, look how many . you have) and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
> and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

   That does not always help.

> Try to change this directory outside of the www root to be sure that he can not directly publish it.

     That is the better solution
0
 
LVL 7

Author Comment

by:Kurt4949
Comment Utility
I used both of those suggestions.
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Good :)  
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now