[7943] in bugtraq
ColdFusion File Upload Exploit (fwd)
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Sep 14 22:58:28 1998
Date: Mon, 14 Sep 1998 20:23:41 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Mon, 14 Sep 1998 12:12:23 -0600
From: INFO2000 TECH <colby@INFO2000.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: ColdFusion File Upload Exploit
The following message was posted to the Allaire's COLD FUSION forums:
As previously noticed in the thread:
http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293
By default, on Windows NT installations, the CF function, GetTempDirectory
returns C:\WINNT.
This can be exploited with the "Coffe Valley Document Library", included in the
Cold Fusion Installation Examples. This allows users to upload arbitrary files
to the C:\WINNT directory. THIS IS A SECURITY RISK. C:\WINNT is the second item
in the default WindowsNT path, and this exploit can be used to introduce
trojans into this directory. Even though the Coffe Valley example uses the
CFFILE attribute "MakeUnique", which will not overwrite existing files with the
uploaded-filename, there is still a security risk in that new executables and
DLLs can be introduced. On a smaller note, the file system could be filled up
with garbage files.
WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User Environment
Variable, but should also be set as a System Environment Variable.
It would also be a really good idea to disable public access to the /CFDOCS
directory on any machine running Cold Fusion (as this is where the Example
Applications reside)
This is a "feature" of CF 3.x AND CF 4.0, AND this bug has been reported as a
"benign" bug on the Beta Forums...
