Skip to main content
A
aotgnat
Participant
February 1, 2013
Question

Trying to understand an application.cfm attack

  • February 1, 2013
  • 1 reply
  • 1853 views

I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms... 

This past week I wanted to watch some slow page loads for performance, noting their time to execute.  I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages.  Prior to this, I have not utilzed an application.cfm.  I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.

I soon found myself the recipient of a cross site scripting attack.  I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!

I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage.  The attack was only inserting javascript into my index pages via the application.cfm .  Rather ingenious and it was fun to find and consider.  Payday loan spam.

I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.

An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads.  I have a fresh install of CF9 so this did not exist.  There was a cfx folder tree with some "example" code folders.  I've zipped and deleted these.

I have changed ftp to use a non-standard port.  Something that I used to do, but failed to re-instate when I moved to a different host.  I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).

If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically.  And while I did not have one before, why did someone not just upload their own?

How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?

My question is this - can the application.cfm be tricked into modifying itself?

Thanks in advance!

This topic has been closed for replies.

1 reply

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
February 1, 2013

Cross-site vulnerabilities have been identified in ColdFusion 9. You should therefore install the latest security and cumulative hot fixes. You should also use Application.cfc in place of Application.cfm.

A
aotgnatAuthor
Participant
February 3, 2013

Thank you for the reply, but I clearly stated that, other than this instance, I do not use an Application.cfm and that I have already removed it.

I posted here to gain insight to how the [Application.cfm] exploit worked.  Not how to avoid or fix it.  I did that and said so.

My question is, - can the application.cfm be tricked into modifying itself?  How is the mere existence of this file a danger?

Thanks in advance.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
February 3, 2013

Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.

aotgnat wrote:

The attack was only inserting javascript into my index pages via the application.cfm .

Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices