Using the GET HTTP method, Nessus found that the following resources may be vulnerable to blind SQL injection :
The 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI :
Input: /CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsH andler&method=getcfcinhtml'||'%2fCFIDE%2fappdeployment%2fIDatasourcesEve ntsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method =getcfcinhtml
-------- output -------- HTTP/1.1 200 OK
-------- vs -------- HTTP/1.1 400 Bad Request ------------------------"
Is this vulnerabilty exists or it is a false positive?
Copy link to clipboard
Sorry it is a Coldfusion 2018.
Copy link to clipboard
For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.
It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request).
Let us suppose, as Nessus claims, that the 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI is vulnerable to blind SQL injection. This means that a blind attack of the following kind will be possible
http://your-domain.com/.../CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method=getcfcinhtml and 2=2
where the 'blind' SQL part of the attack is ' and 2=2'.
For such an attack to work, the component cfcexplorer.cfc has to make use of a database table in which there is a column called 'method'. And the table has to come in each of the various database brands at that. (After all, ColdFusion doesn't know beforehand which database brand you will use.)
We know that these conditions are unrealistic. ColdFusion doesn't ship with such a CFC or with such default database tables.
I therefore agree with Pete. If this is the only scan result you get, then there is nothing to worry about.
Thank you Pete and BKBK for your responses. It helped a lot.