Legend

Question

Adobe ColdFusion Input Validation Flaw in 'probe.cfm' Permits Cross-Site Scripting Attacks

Forum|Forum|14 years ago
August 22, 2011
2 replies
3055 views

This security vulnerability was recently published:

What is strange is the note: "No solution available at the time of entry."

There is a work around/solution for this issue. Remove the existing CFIDE virtual directory mapping from your site, if you are using the default. Create a virtual directory for CFIDE and map to an empty directory. Then create a virtual directory under it for scripts and map it to the original scripts location (usually c:\inetpub\wwwroot\cfide\scripts for IIS). This was the scripts content gets updated with normal Adobe patches, your templates can use the various scripts, and the rest of the CFIDE contents are not accessible and exploitable.

I HIGHLY recommend this tweak for all websites as it avoids and corrects many CFIDE vulnerabilities.

This topic has been closed for replies.

WolfShade

Legend

I tried this, and CF gives an error: "Probe not found: '<script>alert("G.R0b1n")</script>'"

^_^

C

cfappdev

Participant

Thanks WolfShade. What version of CF are you running? I think probe.cfm is specific to the Enterprise edition.

Supposedly, it can only be called from 'localhost'. In which case I am confused as to how a hacker can invoke the vulnerability.

Pete

WolfShade

Legend

Ah, well, if it's Enterprise only.. I'm running Developer 9,0,1,274733. (shrug)

^_^

pete_freitag

Participating Frequently

Have you tried to exploit this?

If it works then that means your server is not fully patched. Also it can only possibly work on localhost.

CF8.0.1 and CF 9.0.1 with the latest security patches are not vulnerabile to this issue. I beleive 8.0 out of the box is, but it was patched several years ago. This is an old issue where the default exception handler did not properly escape its output.

Though I totally agree with you blocking off any and all unused portions of CFIDE goes a long way in making your server more secure.

--

Pete Freitag

Foundeo Inc. - ColdFusion Consulting & Products

S

Steve SommersAuthor

Legend

I tried it but my servers have the virtual directory configuration tweak I described. The vulnerability report that I referenced just came out this morning so I assumed it is still an issue with default configurations.

12Robots

Participating Frequently

I just confirmed on my own machine that this was fixed in the Security Hotfix documented here: http://kb2.adobe.com/cps/890/cpsid_89094.html

I had a unpatched machine that I was able to exploit it on, then I ran the update and restarted and now the URL message is properly encoded before being displayed. The reporter is clearly not using a patch version of ColdFusion.

Unfortunately, it looks like the HotFix does nto change the version number. By CF instance reports version 9,0,1,274733 both before and aftert the update, so it is hard to tell if the patch has been applied or not.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded