[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Security breech Cold fusion 8 IIS server, vulnerability

Posted on 2011-09-14
Medium Priority
Last Modified: 2012-05-12
Some malicious CF shells were found that on the CF8 server.
These scripts appear to have been used to route mail through coldfusion as well, which would explain the repeated errors being received from smartermail (show in cf mail.log):

Our host engineers have suggested
<cffile action="upload"> script that would allow the attacker to get a template onto the system, then use tags such as <cfexecute> to further open the system up.

Here is our typical cffile code. We only allow certain file types ie  doc jpg pdf etc

Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?

For picture uploads

<cfset DestinationDirectory = "C:\Websites\BlaBlaBla\pics">

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#NewFile#"


For documents and scans

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#form.MemberSlideName#.tmp"

Open in new window

Question by:Ian White
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 39

Expert Comment

ID: 36540521
If you upload the file to a destination within the webroot, the file could be executed using a browser if they know the path to the file.   Often files are kept outside the webroot so this cannot happen.

It's interesting that you change the extension of the file when uploading, I would think that would help.  I do just the opposite.  I change the file name (because the user's file name often can contain illegal characters) and keep the extension.  So, I rename it to 1234.jpg  or 98437.doc.  

Use cfdocument to pull the file from outside the webroot and deliver it under the correct name.
LVL 52

Expert Comment

ID: 36540687
>> Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?
>> ACCEPT="image/jpeg,image/jpg,image/pjpeg"

It's probably a mime type exploit. Mime types are easy to fake. A more robust test is to verify the file really contains an image with theIsImage function, along with checking the file extension.

>> Often files are kept outside the webroot so this cannot happen
>> Use cfcontent to pull the file from outside the webroot and deliver it under the correct name.

That's the best security measure you can take.  Just make sure the directory does not allow execution.  The malicious code can't run if the file cannot be executed.  

This thread has some very good tips on securing file uploads


Author Comment

by:Ian White
ID: 36542087
Does the hacker havewebroot  path of the uploaded file ?  It goes to subdirectory /pics but if this
was something obscure like /dsaf97fds  would that not achieve the same thing?  Also if exceutions are not allowed from this directory would that not stop that?
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 52

Expert Comment

ID: 36542647
>> Does the hacker havewebroot  path of the uploaded file ?  
>> would that not achieve the same thing?

No you can't rely on security by obscurity.  If the app provides a direct link to files, they could be executed just by a user clicking on a link, etc..

>> Also if exceutions are not allowed from this directory would that not stop that?

Probably... but the exact settings vary by web server and o/s. With rules and inheritance it's easy to overlook something. I'd run it past your network admin.  

But storing them outside the web root is simplest.  The files can't be accessed at all via the web. Using <cfcontent> to return them to the user ensures they're never executed.

Expert Comment

ID: 36542673
at: AveAGo:
Even if execution is not allowed, it would be still possible to execute cold fusion scripts (*.cfm) files via cfexecute, because otherwise it would not be possible to process any coldfusion pages in this directory.

To increase the level of security you could disable the cfexecute tag within coldfusion administrator:
in CF8: Security Menu - Sandbox Security: Activate Sandbox Security and Restart ColdFusion. Add the appropriate directories with "Add Security Sandbox". Select each directory from the list at "Defined Directory Permissions". After selecting a directory, a new tabbed menu is displayed for this directory. Choose "CF Tags" and "CF Functions" to disable certain tags and functions at your needs.

And you could disable execution of javascript that is transmitted to the cf server via form fields, e.g. if the users can edit page content or forum threads. Just use "Server Settings / Settings" and activate "Enable Global Script Protection". This will automatically strip all scripting expressions from form and url data and cooikies. But: Users that are using a content management system and intentionally want to edit html directly are then not able any more to edit java script, because their scripting texts are stripped, either.
LVL 52

Expert Comment

ID: 36543082
>> execute cold fusion scripts (*.cfm) files via cfexecute

You can't run a cfm script via cfexecute.  But hackers wouldn't need to. All it takes to execute a .cfm script is to open the url in a browser and any malicious code inside it runs.  

>> you could disable the cfexecute tag

Truthfully a hacker doesn't need cfexecute to do lots of damage.  Once they manage to upload a cfm script to a web accessible location that allows execution, you've got much bigger problems.  Anything you can do in code - they can do too. Read/modify the file system, databases, etc...

>> it would not be possible to process any coldfusion pages in this directory

Yeah, but normally you don't want store .cfm scripts and uploaded files all jumbled together in the same directory anyway.

Accepted Solution

hyperfuse earned 1000 total points
ID: 36543597
at agx: okay, i now have got that with "cfexecute". I did not know that cfexecute cannot excecute cfm files (we never tried it and have disabled cfexecute on all systems) So thanks for that bit ;-)

II completely agree that the solution to store the files outside the web space and deliver them via cfcontent is the most secure way to do this.

Another idea as a temporaily work around: As far as I know, the web server decides by file extension, which files have to be passed to ColdFusion, e.g. cfm, cfc, etc. So it would be a good idea to avoid uploading files with those extensions. So files could be uploaded then to a directory outside the web space, extension could be checked, and all cfm etc. files will be deleted automatically after the upload. Other files could be copied to their designated destination. Proceeding that way would not cause any changes in document retrieval, so those programs do not need to be changed.
This will give AveAGo some more time to upgrade the programs and to implement the solution with cfcontent.
LVL 52

Assisted Solution

_agx_ earned 1000 total points
ID: 36543943
  >> I did not know that cfexecute cannot excecute cfm files

To clarify the reason is .cfm files aren't independent like executables.  They need a bunch of other stuff to execute them ie a cf server, web context, etc.. Might be technically possible to do it, but it's hardly worth the effort when other exploits are so simpler.

    >> So it would be a good idea to avoid uploading files with those extensions.
Remember it's not just .cfm files that are risky.  There's .exe's and other file types too. Basically any language running on the server, asp, php, etc..  

But like I mentioned, it's too easy to miss things with that approach.  The more bullet proof solution is storing the files where they can't be executed and ONLY serving them up with <cfcontent>.

Author Closing Comment

by:Ian White
ID: 36558275
thanks for contributions

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question