Cold Fusion Vulnerabilities

Impact

Various vulnerabilities in the sample scripts included in Cold Fusion could be exploited to read arbitrary files, upload files, or create a denial of service.

Background

The Cold Fusion Application Server includes online documentation and sample code by default. Included in the sample code is the Expression Evaluator utility, which allows a developer to experiment with Cold Fusion expressions by uploading expressions from a local PC and having the Expression Evaluator evaluate them.

The Problem


Expression Evaluator File Upload

A vulnerability in the Cold Fusion Expression Evaluator utility could allow an attacker to view and delete any file on the system, and to upload files anywhere on the server. The ability to upload executable files makes this vulnerability even more critical.

The file /cfdocs/expeval/exprcalc.cfm is intended to display the file uploaded by the user, and then delete it. However, it can easily be used to display and delete any file on the system. Furthermore, it can even be used to delete itself, so that subsequently uploaded files will not be deleted by the Expression Evaluator, and will remain on the server. Cold Fusion Application Server versions 2.0, 3.0, 3.1, and 4.0 have this vulnerability.


Source code viewing using sourcewindow.cfm

CVE 1999-0922
The example script sourcewindow.cfm allows a remote user to view the source code of any file on the server.


Vulnerabilities in Cold Fusion snippets

Vulnerabilities in several of the sample scripts included in the "snippets" directory could allow an attacker to verify the existence of files on the server, view the source code of Cold Fusion files, or create a denial of service.


Denial of Service in Syntax Checker

CVE 1999-0924
The Syntax Checker is used to check the syntax of Cold Fusion files. By sending a query which instructs it to check the syntax of *.*, a heavy load can be created on the CPU, thus slowing down the response to legitimate requests.


Denial of Service in Start/Stop utility

Cold Fusion contains a Java applet designed to allow an administrator to start or stop the Cold Fusion service. When Basic Security is enabled, this utility is password-protected, so that only an administrator can use it. However, when Advanced Security is enabled, it overrides the password-protection. This allows any remote user to stop the Cold Fusion service, thus creating a denial of service. Cold Fusion 4.0 and 4.0.1 are affected by this vulnerability if Advanced Security is enabled.

Resolutions

In general, online documentation and sample utilities should not be kept on operational web servers. Any files which are not needed should be deleted from the web server. To fix the vulnerabilities mentioned above, simply delete the files and directories which contain vulnerabilities:

If the Expression Evaluator is needed, then either secure the /cfdocs/expeval directory so that it is only accessible by users who require it, or install the patch described in Allaire Security Bulletin 99-01.

If the Start/Stop utility is needed, and Advanced Security is enabled, upgrade to the latest version of Cold Fusion, or use standard Web Server security to restrict startstop.html so that it is only accessible to authorized users.

Where can I read more about this?

More information about the Expression Evaluator vulnerability can be found in the L0pht Security Advisory and in Allaire Security Bulletin 99-01.

For more information about the sourcewindow, snippets, and syntax checker vulnerabilities, see Rain Forest Puppy and Allaire Security Bulletin 99-02.

More information about the Start/Stop vulnerability can be found in Allaire Security Bulletin 99-07.