Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

ColdFusion upload page hacked

I have a form used to upload files.  Some how someone was able to upload a malicious  .cfm file and deface my website.  It looks like they uploaded a file called tmpfiles.gif.cfm  I tried to upload the same file name and my site wouldn't let me, so how did they do it?

Here is part of the IIS log file

2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /upload.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/cfform.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/masks.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:16 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:28 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:49 W3SVC1 192.168.0.250 GET /uploads/tmpfiles.gif.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:57 W3SVC1 192.168.0.250 POST /uploads/tmpfiles.gif.cfm DirPath=C%3A%5CColdFusion8%5Cruntime%5Cservers%5Ccoldfusion%5CSERVER%2DINF%5Ctemp%5Cwwwroot%2Dtmp%5C 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
<cfif isDefined("FORM.Submit") AND isDefined("FORM.file")> 
        
				<cfset serverPath = GetDirectoryFromPath(GetBaseTemplatePath())>
    			
                <cftry>
                	<!--- Mime Types http://www.w3schools.com/media/media_mimeref.asp --->
                    
                    <cffile action="upload"
                    		filefield="file" 
                            destination="#serverPath#\uploads\" 
                            nameconflict="makeunique" 
                            accept="image/jpeg,image/gif,application/zip,application/pdf,audio/mpeg,video/mpeg,application/msword">
                    
 
                    <cfcatch type="any">   
						<cfset errmsg = "A problem was detected!  File type not allowed!">  
                    </cfcatch> 
                </cftry> 
                
                <cfif isdefined('errmsg')> 
					<cfoutput><h3>#errmsg#</h3></cfoutput>
                <cfelse>
                	<cfoutput><h3>File Received, thank you!</h3></cfoutput>
                 </cfif>

Open in new window

0
Kurt4949
Asked:
Kurt4949
1 Solution
 
Jones911Commented:
I would have thought the accept attribute would limit and stop the .cfm files being uploaded.  To check for this you should check the last . and onwards for the files you need to accept ie make sure its .doc, .pdf etc
0
 
Kurt4949Author Commented:
hmm and the messed something up.  Even though my site allows .gif, it won't let me upload.gif anymore.  I'm thinking about reinstalling coldfusion but I want to figure out how they hacked it so it doesn't happen again right after i spend time installing it.
0
 
Kurt4949Author Commented:
I tried uploading .jpg.cfm and it does indeed stop it so i'm puzzled.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
_agx_Commented:
Unfortunately, it is amazingly trivial to do that.
0
 
Kurt4949Author Commented:
trivial to do what?
0
 
_agx_Commented:
Bypass the accepted mime types
0
 
Kurt4949Author Commented:
Care to explain how?  And do you have a better method so they can't bypass mime types?
0
 
_agx_Commented:
Add some checks on the file extension(s) as Jones suggested.  You could also add some additional checks on the files themselves.  Like for example, use IsImage(filePath) to verify a file is really an image, etc..
0
 
_agx_Commented:
Kurt4949,

Personally, I do not like to post easily exploit code.  Though I am sure there is plenty on the web.  If you post your email or an IM account like AIM in your profile, I can send you an explanation.
0
 
boodyguardCommented:
If the hacker can lunch the file it means that your upload directory is in the web published directory ?

Try to change this directory outside of the www root to be sure that he can not directly publish it.

You can add some test to the file.extension (search cfm for exemple, look how many . you have) and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

0
 
_agx_Commented:
> and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

   That does not always help.

> Try to change this directory outside of the www root to be sure that he can not directly publish it.

     That is the better solution
0
 
Kurt4949Author Commented:
I used both of those suggestions.
0
 
_agx_Commented:
Good :)  
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now