ColdFusion 8 cfcexplorer Vulnerability

Report · Oct 22, 2012

Hi,

Recent pen testing has discovered that it is possible to bypass logging in to gain access to the cfcexplorer with the following steps:

1.) Go to the COLDFUSION cfcexplorer

http://<domain-name>/CFIDE/componentutils/cfcexplorer.cfc

2.) Click login without specifying a password

When this is done an page displaying an error message results: and a ? is then appended to the url

3.) Press the browser back button and manually add the ? to the url and click login again.

http://<domain-name>/CFIDE/componentutils/cfcexplorer.cfc?

You will now gain access to the cfc explorer.

Is this a known problem that has a patch?

Report · Dec 21, 2012

We've recently come across this vulnerability as well, and have observed it being used in the wild as a directory traversal exploit. Any file on the server which the CF user (default to SYSTEM) can access may be exposed using a cfc compontent through cfcexplorer. It appears that this vulnerability was introduced with the cumulative hotfix 2 in CF 8.0.1, and is also present in CF9+.

It seems the only way to mitigate it is by manually setting an RDS password (even if RDS is disabled). By default on installation, the RDS password is set to be blank if RDS is not enabled. With a password set (through the admin or manually in password.properties, and restarting CF), cfcexplorer.cfc will keep prompting for a password.

Report · Dec 21, 2012

Thank you hjlane3 for your response.

The approach we’ve adopted is one of good practice anyway (I think) and that is to restrict access to the CFIDE virtual directory remotely. This prevents access to the cfc explorer remotely which is fine for us at present. I’ll look into your suggestion though as remote access may be required in the future.