cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Trying to understand an application.cfm attack

aotgnat
New Here ,
Feb 01, 2013 Feb 01, 2013

Copy link to clipboard

Copied

I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms... 

This past week I wanted to watch some slow page loads for performance, noting their time to execute.  I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages.  Prior to this, I have not utilzed an application.cfm.  I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.

I soon found myself the recipient of a cross site scripting attack.  I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!

I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage.  The attack was only inserting javascript into my index pages via the application.cfm .  Rather ingenious and it was fun to find and consider.  Payday loan spam.

I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.

An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads.  I have a fresh install of CF9 so this did not exist.  There was a cfx folder tree with some "example" code folders.  I've zipped and deleted these.

I have changed ftp to use a non-standard port.  Something that I used to do, but failed to re-instate when I moved to a different host.  I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).

If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically.  And while I did not have one before, why did someone not just upload their own?

How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?

My question is this - can the application.cfm be tricked into modifying itself?

Thanks in advance!

Views

1.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
BKBK Community Expert
Community Expert ,
Feb 01, 2013 Feb 01, 2013

Copy link to clipboard

Copied

Cross-site vulnerabilities have been identified in ColdFusion 9. You should therefore install the latest security and cumulative hot fixes. You should also use Application.cfc in place of Application.cfm.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
aotgnat
New Here ,
Feb 02, 2013 Feb 02, 2013

Copy link to clipboard

Copied

In Response To BKBK

Thank you for the reply, but I clearly stated that, other than this instance, I do not use an Application.cfm and that I have already removed it.

I posted here to gain insight to how the [Application.cfm] exploit worked.  Not how to avoid or fix it.  I did that and said so.

My question is, - can the application.cfm be tricked into modifying itself?  How is the mere existence of this file a danger?

Thanks in advance.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Feb 03, 2013 Feb 03, 2013

Copy link to clipboard

Copied

In Response To aotgnat

Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.

aotgnat wrote:

The attack was only inserting javascript into my index pages via the application.cfm .

Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Feb 03, 2013 Feb 03, 2013

Copy link to clipboard

Copied

LATEST
In Response To aotgnat

Going back to the reason you added an Application file in the first place, you can still achieve that with BKBK's suggestion of using an Application.cfc file.  You can use getTickCount() in onRequestStart() and onRequestEnd() to time your pages.  This will give you the number of milliseconds.  I'm not sure if ColdFusion's DateTime objects are that precise.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices