Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.
The slides were published here and the video from hashdays is here, no video for BSides ATL.
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post [2] ColdFusion
Whhhhaaaat? ColdFusion?
- Originally released in 1995 by Allaire
- Motivation: make it easier to connect simple HTML pages to a database
- Along the way became full Java
- Latest version is ColdFusion 9 released in 2009
- Most recent features focus on integration with other technologies, e.g. Flash, Flex, AIR, Exchange, MS Office, etc.
- Frequent to see CF 7 - 9 on the web
- Open Source CFML avalable as well
- BlueDragon, Railo, Mura CMS
Background Reading:
http://averagesecurityguy.info/2011/12/09/owning-a-coldfusion-server/
https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf
Locale traversal CVE: 2010-2861
coldfusion_locale_traversal.rb
great overview/walkthru here: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Vulnerable Versions:
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion 9? Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.
*no patches exist for 6 & 7 so if you see CF6 or CF7 its always vuln to the bug*
Adobe XML External Entity Injection: CVE-2009-3960
adobe_xml_inject.rb
advisory info here: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
adobe_xml_inject.rb
advisory info here: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
There's lots more to the ColdFusion story, enough that I recently gave a talk on it.
6 comments:
Hey CG, think you'll like this :)
https://dev.metasploit.com/redmine/issues/6822
Good article as always, though would be nice to see the slides...
im working on getting the slides to the SOURCE ppl. im actually way late on them.
i'll try to get them posted tonight.
The history of CF is a little out of date. It says the latest version is 9. The latest version of ColdFusion is actually 11 and came out a couple months ago. CF also has some nice secure-by-default installation options to help admins lock it down.
@brad will the post IS two years old :-/
Yeah, I saw that *after* I posted. I came here from a link on Twitter and assumed it was a recent article.
yeah it needs an update. probably not gonna happen soon though.
Post a Comment