---------- Forwarded message ---------- Date: Mon, 14 Sep 1998 12:12:23 -0600 From: INFO2000 TECH <colbyat_private> To: NTBUGTRAQat_private Subject: ColdFusion File Upload Exploit The following message was posted to the Allaire's COLD FUSION forums: As previously noticed in the thread: http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293 By default, on Windows NT installations, the CF function, GetTempDirectory returns C:\WINNT. This can be exploited with the "Coffe Valley Document Library", included in the Cold Fusion Installation Examples. This allows users to upload arbitrary files to the C:\WINNT directory. THIS IS A SECURITY RISK. C:\WINNT is the second item in the default WindowsNT path, and this exploit can be used to introduce trojans into this directory. Even though the Coffe Valley example uses the CFFILE attribute "MakeUnique", which will not overwrite existing files with the uploaded-filename, there is still a security risk in that new executables and DLLs can be introduced. On a smaller note, the file system could be filled up with garbage files. WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User Environment Variable, but should also be set as a System Environment Variable. It would also be a really good idea to disable public access to the /CFDOCS directory on any machine running Cold Fusion (as this is where the Example Applications reside) This is a "feature" of CF 3.x AND CF 4.0, AND this bug has been reported as a "benign" bug on the Beta Forums...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:17 PDT