Allaire ColdFusion Undocumented CFML Tags Vulnerability

A malicious CFML developer could use undocumented tags and functions to create a web application hosted on the local machine that would give the attacker the ability to perform various unauthorized actions, including registry, database, and security access.

This is possible due to certain tags that are available as part of the web administration utility. These tags can be found using the CFdecrypt utility (more information available at http://www.securityfocus.com/vdb/275 ). In 3.0 the most potentially damaging tags are CFAdmin_Registry_GET and CFAdmin_Registry_SET. In 4.0 they are CFNEWINTERNALREGISTRY and CFNEWINTERNALADMINSECURITY. In combination with the cfusion_encrypt() and cfusion_decrypt() functions, these can be used to retrieve and decrypt the admin and studio passwords. With these passwords, they can then use a variety of tools available as part of the web administrtion interface to uploadfiles, retrieve directory listings, etc.

The complete list of functions and tags is:

ColdFusion 4.0x and 3.x Administrative Functions:

CF_SETDATASOURCEUSERNAME()
Sets the default user name for a ColdFusion data source
CF_SETDATASOURCEPASSWORD()
Sets the default password for the ColdFusion data source
CF_ISCOLDFUSIONDATASOURCE()
Verifies a connection to a ColdFusion data source
CF_GETDATASOURCEUSERNAME()
Gets the default user name for a ColdFusion data source
CFUSION_VERIFYMAIL()
Verifies the connection to the default ColdFusion SMTP mail server
CFUSION_GETODBCINI()
Gets ODBC data source information from the Registry
CFUSION_SETODBCINI()
Sets ODBC data source information in the Registry
CFUSION_GETODBCDSN()
Gets the ODBC data source names from the Registry
CFUSION_SETTINGS_REFRESH()
Refreshes some ColdFusion settings not requiring a restart
CFUSION_DBCONNECTIONS_FLUSH()
Disconnects all currently connected ColdFusion datasources
CFUSION_DECRYPT()
3.x only - decrypt function that decrypts a specific string. Deprecated by the
standard Decrypt() function.
CFUSION_ENCRYPT()
3.x only - encrypt function that decrypts a specific string. Deprecated by the
Encrypt() function.

ColdFusion 4.0x Administrative Tags:

CFINTERNALDEBUG
Used for internal ColdFusion debugging by product development and to PCode
templates without executing them (used by the CFML Syntax Checker).
CFNEWINTERNALADMINSECURITY
Used for updates to Advanced Security information.
CFNEWINTERNALREGISTRY
Used for registry updates. This tag is identical to the CFREGISTRY tag but by-passes Basic security.

ColdFusion 3.x Administrative Tags (deprecated in 4.x):

CFADMIN_REGISTRY_SET
Used for registry updates, by-passing Basic security.
CFADMIN_REGISTRY_SET
Used for retrieving registry information, by-passing Basic security.
CFADMIN_REGISTRY_DELETE
Used for registry updates. This tag is identical to the CFREGISTRY tag but by-passes Basic security.


 

Privacy Statement
Copyright 2010, SecurityFocus