I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms...
This past week I wanted to watch some slow page loads for performance, noting their time to execute. I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages. Prior to this, I have not utilzed an application.cfm. I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
I soon found myself the recipient of a cross site scripting attack. I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads. I have a fresh install of CF9 so this did not exist. There was a cfx folder tree with some "example" code folders. I've zipped and deleted these.
I have changed ftp to use a non-standard port. Something that I used to do, but failed to re-instate when I moved to a different host. I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically. And while I did not have one before, why did someone not just upload their own?
How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
My question is this - can the application.cfm be tricked into modifying itself?
Thanks in advance!
Thank you for the reply, but I clearly stated that, other than this instance, I do not use an Application.cfm and that I have already removed it.
I posted here to gain insight to how the [Application.cfm] exploit worked. Not how to avoid or fix it. I did that and said so.
My question is, - can the application.cfm be tricked into modifying itself? How is the mere existence of this file a danger?
Thanks in advance.
Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).
Going back to the reason you added an Application file in the first place, you can still achieve that with BKBK's suggestion of using an Application.cfc file. You can use getTickCount() in onRequestStart() and onRequestEnd() to time your pages. This will give you the number of milliseconds. I'm not sure if ColdFusion's DateTime objects are that precise.
Europe, Middle East and Africa