• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Tenable Nessus vulnerability scan on the ColdFusion cfcexplorer.cfc component--CF11

New Here ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

Using the GET HTTP method, Nessus found that the following resources may be vulnerable to blind SQL injection :

The 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI :

 

Input: /CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsH andler&method=getcfcinhtml'||'%2fCFIDE%2fappdeployment%2fIDatasourcesEve ntsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method =getcfcinhtml

-------- output -------- HTTP/1.1 200 OK

 

-------- vs -------- HTTP/1.1 400 Bad Request ------------------------"

 

Is this vulnerabilty exists or it is a false positive?

Views

302

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Enthusiast , Apr 26, 2021 Apr 26, 2021

For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.

 

It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

 

 

Votes

Translate

Translate
New Here ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

Sorry it is a Coldfusion 2018.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.

 

It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 29, 2021 Apr 29, 2021

Copy link to clipboard

Copied

Let us suppose, as Nessus claims, that the 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI is vulnerable to blind SQL injection. This means that a blind attack of the following kind will be possible

 

http://your-domain.com/.../CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method=getcfcinhtml and 2=2

 

where the 'blind' SQL part of the attack is ' and 2=2'.

 

For such an attack to work, the component cfcexplorer.cfc has to make use of a database table in which there is a column called 'method'. And the table has to come in each of the various database brands at that. (After all, ColdFusion doesn't know beforehand which database brand you will use.)

 

We know that these conditions are unrealistic. ColdFusion doesn't ship with such a CFC or with such default database tables. 

 

I therefore agree with Pete. If this is the only scan result you get, then there is nothing to worry about.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 29, 2021 Apr 29, 2021

Copy link to clipboard

Copied

LATEST

Thank you Pete and BKBK for your responses. It helped a lot.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation