Skip to main content
A
AJIT5CDC
Participating Frequently
April 26, 2021
Answered

Tenable Nessus vulnerability scan on the ColdFusion cfcexplorer.cfc component--CF11

  • April 26, 2021
  • 2 replies
  • 851 views

Using the GET HTTP method, Nessus found that the following resources may be vulnerable to blind SQL injection :

The 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI :

 

Input: /CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsH andler&method=getcfcinhtml'||'%2fCFIDE%2fappdeployment%2fIDatasourcesEve ntsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method =getcfcinhtml

-------- output -------- HTTP/1.1 200 OK

 

-------- vs -------- HTTP/1.1 400 Bad Request ------------------------"

 

Is this vulnerabilty exists or it is a false positive?

    This topic has been closed for replies.
    Correct answer pete_freitag

    For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.

     

    It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

     

     

    2 replies

    pete_freitag
    pete_freitagCorrect answer
    Participating Frequently
    April 26, 2021

    For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.

     

    It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

     

     

    BKBK
    BKBK
    Community Expert
    April 29, 2021

    Let us suppose, as Nessus claims, that the 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI is vulnerable to blind SQL injection. This means that a blind attack of the following kind will be possible

     

    http://your-domain.com/.../CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method=getcfcinhtml and 2=2

     

    where the 'blind' SQL part of the attack is ' and 2=2'.

     

    For such an attack to work, the component cfcexplorer.cfc has to make use of a database table in which there is a column called 'method'. And the table has to come in each of the various database brands at that. (After all, ColdFusion doesn't know beforehand which database brand you will use.)

     

    We know that these conditions are unrealistic. ColdFusion doesn't ship with such a CFC or with such default database tables. 

     

    I therefore agree with Pete. If this is the only scan result you get, then there is nothing to worry about.

     

     

    A
    AJIT5CDCAuthor
    Participating Frequently
    April 29, 2021

    Thank you Pete and BKBK for your responses. It helped a lot.

    A
    AJIT5CDCAuthor
    Participating Frequently
    April 26, 2021

    Sorry it is a Coldfusion 2018.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices