Tenable Nessus vulnerability scan on the ColdFusion cfcexplorer.cfc component--CF11

New Here ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

Using the GET HTTP method, Nessus found that the following resources may be vulnerable to blind SQL injection :

The 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI :

 

Input: /CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsH andler&method=getcfcinhtml'||'%2fCFIDE%2fappdeployment%2fIDatasourcesEve ntsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method =getcfcinhtml

-------- output -------- HTTP/1.1 200 OK

 

-------- vs -------- HTTP/1.1 400 Bad Request ------------------------"

 

Is this vulnerabilty exists or it is a false positive?

Views

86

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Enthusiast , Apr 26, 2021 Apr 26, 2021
For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database. It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

Likes

Translate

Translate
New Here ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

Sorry it is a Coldfusion 2018.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Apr 26, 2021 Apr 26, 2021

Copy link to clipboard

Copied

For it to be a SQL Injection vulnerability there needs to be some SQL database interaction (eg cfquery, queryExecute, etc) within the code execution path. While I can't say for 100% certain that the cfcexplorer doesn't have a cfquery tag in it (because it is closed source), I can't think of any reason why it would interact with a database.

 

It appears that the only thing that nessus is going off of here is that the status code changed from 200 to 400 (Bad Request). 

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 29, 2021 Apr 29, 2021

Copy link to clipboard

Copied

Let us suppose, as Nessus claims, that the 'method' parameter of the /CFIDE/componentutils/cfcexplorer.cfc CGI is vulnerable to blind SQL injection. This means that a blind attack of the following kind will be possible

 

http://your-domain.com/.../CFIDE/componentutils/cfcexplorer.cfc?path=%2fCFIDE%2fappdeployment%2fID atasourcesEventsHandler.cfc&name=CFIDE.appdeployment.IDatasourcesEventsHandler&method=getcfcinhtml and 2=2

 

where the 'blind' SQL part of the attack is ' and 2=2'.

 

For such an attack to work, the component cfcexplorer.cfc has to make use of a database table in which there is a column called 'method'. And the table has to come in each of the various database brands at that. (After all, ColdFusion doesn't know beforehand which database brand you will use.)

 

We know that these conditions are unrealistic. ColdFusion doesn't ship with such a CFC or with such default database tables. 

 

I therefore agree with Pete. If this is the only scan result you get, then there is nothing to worry about.

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 29, 2021 Apr 29, 2021

Copy link to clipboard

Copied

LATEST

Thank you Pete and BKBK for your responses. It helped a lot.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines