I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms...
This past week I wanted to watch some slow page loads for performance, noting their time to execute. I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages. Prior to this, I have not utilzed an application.cfm. I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
I soon found myself the recipient of a cross site scripting attack. I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads. I have a fresh install of CF9 so this did not exist. There was a cfx folder tree with some "example" code folders. I've zipped and deleted these.
I have changed ftp to use a non-standard port. Something that I used to do, but failed to re-instate when I moved to a different host. I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically. And while I did not have one before, why did someone not just upload their own?
How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
My question is this - can the application.cfm be tricked into modifying itself?
Thanks in advance!