Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ColdFusion upload page hacked

Posted on 2009-05-11
14
Medium Priority
?
404 Views
Last Modified: 2013-12-24
I have a form used to upload files.  Some how someone was able to upload a malicious  .cfm file and deface my website.  It looks like they uploaded a file called tmpfiles.gif.cfm  I tried to upload the same file name and my site wouldn't let me, so how did they do it?

Here is part of the IIS log file

2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /upload.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/cfform.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:08 W3SVC1 192.168.0.250 GET /CFIDE/scripts/masks.js - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 304 0 0
2009-05-11 15:11:16 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:28 W3SVC1 192.168.0.250 POST /uploadSend.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:49 W3SVC1 192.168.0.250 GET /uploads/tmpfiles.gif.cfm - 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
2009-05-11 15:11:57 W3SVC1 192.168.0.250 POST /uploads/tmpfiles.gif.cfm DirPath=C%3A%5CColdFusion8%5Cruntime%5Cservers%5Ccoldfusion%5CSERVER%2DINF%5Ctemp%5Cwwwroot%2Dtmp%5C 80 - 78.161.242.119 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+GTB5;+Avant+Browser;+InfoPath.1) 200 0 0
<cfif isDefined("FORM.Submit") AND isDefined("FORM.file")> 
        
				<cfset serverPath = GetDirectoryFromPath(GetBaseTemplatePath())>
    			
                <cftry>
                	<!--- Mime Types http://www.w3schools.com/media/media_mimeref.asp --->
                    
                    <cffile action="upload"
                    		filefield="file" 
                            destination="#serverPath#\uploads\" 
                            nameconflict="makeunique" 
                            accept="image/jpeg,image/gif,application/zip,application/pdf,audio/mpeg,video/mpeg,application/msword">
                    
 
                    <cfcatch type="any">   
						<cfset errmsg = "A problem was detected!  File type not allowed!">  
                    </cfcatch> 
                </cftry> 
                
                <cfif isdefined('errmsg')> 
					<cfoutput><h3>#errmsg#</h3></cfoutput>
                <cfelse>
                	<cfoutput><h3>File Received, thank you!</h3></cfoutput>
                 </cfif>

Open in new window

0
Comment
Question by:Kurt4949
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 19

Expert Comment

by:Jones911
ID: 24360215
I would have thought the accept attribute would limit and stop the .cfm files being uploaded.  To check for this you should check the last . and onwards for the files you need to accept ie make sure its .doc, .pdf etc
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360240
hmm and the messed something up.  Even though my site allows .gif, it won't let me upload.gif anymore.  I'm thinking about reinstalling coldfusion but I want to figure out how they hacked it so it doesn't happen again right after i spend time installing it.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360246
I tried uploading .jpg.cfm and it does indeed stop it so i'm puzzled.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 52

Expert Comment

by:_agx_
ID: 24360294
Unfortunately, it is amazingly trivial to do that.
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360298
trivial to do what?
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360304
Bypass the accepted mime types
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24360319
Care to explain how?  And do you have a better method so they can't bypass mime types?
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360323
Add some checks on the file extension(s) as Jones suggested.  You could also add some additional checks on the files themselves.  Like for example, use IsImage(filePath) to verify a file is really an image, etc..
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24360339
Kurt4949,

Personally, I do not like to post easily exploit code.  Though I am sure there is plenty on the web.  If you post your email or an IM account like AIM in your profile, I can send you an explanation.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24360622
0
 
LVL 1

Accepted Solution

by:
boodyguard earned 2000 total points
ID: 24369323
If the hacker can lunch the file it means that your upload directory is in the web published directory ?

Try to change this directory outside of the www root to be sure that he can not directly publish it.

You can add some test to the file.extension (search cfm for exemple, look how many . you have) and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380293
> and why not change the name of the file after uploading (with UUID the hacker can try all the night :-)

   That does not always help.

> Try to change this directory outside of the www root to be sure that he can not directly publish it.

     That is the better solution
0
 
LVL 7

Author Comment

by:Kurt4949
ID: 24380443
I used both of those suggestions.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24380548
Good :)  
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question