• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Cold Fusion Vulnerability issue

Guest
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

Hi all,

I am new to cold fusion and i am facing a problem which has been pointed out by our security team on an application wirtten in cold fusion:

We have an application written in cold fusion, for which the login page is lets say the below -

https://xxx.com/vendor/index.cfm

Now the vendor is the root directory and it has subdirectories containing the cfm files. So if i do https://xxx.com/vendor/common/abc.cfm , i am able to access the abc.cfm which is in the common folder inside the vendor directory. Now the problem is that if i do https://xxx.com/vendor/common/ , it shows meon browser the list of files present in the common directory, which is not acceptable.. I can see that putting index.cfm in the common folder resolves the problem by redirecting me to the index page. But since there are approximately 120 subdirectories , is there a way to do this in a better way other than putting an index.cfm in every folder ? I tried the missing page handler on the server colsole but no luck.

Any assistance will be greatly appreciated.

Views

665

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Deleted User
Dec 01, 2016 Dec 01, 2016

i disabled directory browsing on iis , that did the trick . Thanks a lot for your help !!!! If i see any issue , i will post again.

Votes

Translate

Translate
Adobe Employee ,
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

Hi,

If I understood the problem correctly then you have directory browsing enable at webserver. First please disable it and then check it.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

hi priyank,

thanks for the reply.

I tried the following -

going to C:\ColdFusion10\cfusion\runtime\conf  web.xml and changing the value of listings parameter -

<servlet>

        <servlet-name>default</servlet-name>

        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

        <init-param>

            <param-name>debug</param-name>

            <param-value>0</param-value>

        </init-param>

        <init-param>

     <!-- secure profile disable start -->

            <param-name>listings</param-name>

            <param-value>false</param-value>

            <!-- secure profile disable end -->

     <!-- secure profile enable start

            <param-name>listings</param-name>

            <param-value>false</param-value>

            secure profile enable end -->

        </init-param>

        <load-on-startup>1</load-on-startup>

    </servlet>

I changed the listing from true to false, but no luck so far.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

i disabled directory browsing on iis , that did the trick . Thanks a lot for your help !!!! If i see any issue , i will post again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

Hi,

Glad that did the trick, could you please mark the answer correct.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

did it, thanks again!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 01, 2016 Dec 01, 2016

Copy link to clipboard

Copied

LATEST

Your security team must not know an arse from an elbow if they did not know how to turn off directory browsing.

I'd seriously consider a full security audit of your OS, web server, CF server and code.

Also has been "ColdFusion" - one word - for close to two decades now...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation