Skip navigation
Currently Being Moderated

Trying to understand an application.cfm attack

Feb 1, 2013 1:36 PM

Tags: #cross #site #scripting #application.cfm #spam #attack

I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms... 


This past week I wanted to watch some slow page loads for performance, noting their time to execute.  I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages.  Prior to this, I have not utilzed an application.cfm.  I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.


I soon found myself the recipient of a cross site scripting attack.  I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!


I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage.  The attack was only inserting javascript into my index pages via the application.cfm .  Rather ingenious and it was fun to find and consider.  Payday loan spam.


I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.


An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads.  I have a fresh install of CF9 so this did not exist.  There was a cfx folder tree with some "example" code folders.  I've zipped and deleted these.


I have changed ftp to use a non-standard port.  Something that I used to do, but failed to re-instate when I moved to a different host.  I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).


If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically.  And while I did not have one before, why did someone not just upload their own?


How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?


My question is this - can the application.cfm be tricked into modifying itself?


Thanks in advance!

  • Currently Being Moderated
    Feb 1, 2013 2:02 PM   in reply to aotgnat

    Cross-site vulnerabilities have been identified in ColdFusion 9. You should therefore install the latest security and cumulative hot fixes. You should also use Application.cfc in place of Application.cfm.

    Mark as:
  • Currently Being Moderated
    Feb 3, 2013 1:31 AM   in reply to aotgnat

    Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.


    aotgnat wrote:


    The attack was only inserting javascript into my index pages via the application.cfm .

    Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

    Mark as:
  • Currently Being Moderated
    Feb 3, 2013 4:38 AM   in reply to aotgnat

    Going back to the reason you added an Application file in the first place, you can still achieve that with BKBK's suggestion of using an Application.cfc file.  You can use getTickCount() in onRequestStart() and onRequestEnd() to time your pages.  This will give you the number of milliseconds.  I'm not sure if ColdFusion's DateTime objects are that precise.

    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points