ColdFusion File Upload Exploit (fwd)

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Mon, 14 Sep 1998 12:12:23 -0600
From: INFO2000 TECH <colby () INFO2000 NET>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: ColdFusion File Upload Exploit

The following message was posted to the Allaire's COLD FUSION forums:


As previously noticed in the thread:
 http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293

By default, on Windows NT installations, the CF function, GetTempDirectory
returns C:\WINNT.

This can be exploited with the "Coffe Valley Document Library", included in the
Cold Fusion Installation Examples. This allows users to upload arbitrary files
to the C:\WINNT directory. THIS IS A SECURITY RISK. C:\WINNT is the second item
in the default WindowsNT path, and this exploit can be used to introduce
trojans into this directory. Even though the Coffe Valley example uses the
CFFILE attribute "MakeUnique", which will not overwrite existing files with the
uploaded-filename, there is still a security risk in that new executables and
DLLs can be introduced. On a smaller note, the file system could be filled up
with garbage files.

WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User Environment
Variable, but should also be set as a System Environment Variable.

It would also be a really good idea to disable public access to the /CFDOCS
directory on any machine running Cold Fusion (as this is where the Example
Applications reside)

This is a "feature" of CF 3.x AND CF 4.0, AND this bug has been reported as a
"benign" bug on the Beta Forums...