[Snort-sigs] Documentation: SID 904

Darryl Davidson ddavidson at ...1674...
Wed Jul 16 16:30:08 EDT 2003


Rule:

WEB-COLDFUSION cfcache.map access

--
Sid:

903

--
Summary:

Attempt to access ColdFusion cache information.  If <CFCACHE> tags are 
being used, this could reveal information about other users' activity.

--
Impact:

Information Collection: The vulnerability is dependent on use of the 
<CFCACHE> tag.  If successful, the exploit gives information about the 
server that could be used for other exploits.

--
Detailed Information:

The .map file includes full path for each cached HTML file, timestamp 
information about cache creation, and the URL of the requested page.

--
Affected Systems:

ColdFusion versions 4.0x (4.5 and 4.5.1 are not vulnerable), on all
platforms (windows, unix, linux)

--
Attack Scenarios:

Remote user simply requests likely pages until successfully downloading 
the .map file:

http://www.server.com/application/cfcache.map

The retrieved information is then read and used for other exploit 
attempts, such as URL mangling or cross-site scripting attacks.

--
Ease of Attack:

Trivial

--
False Positives:

none known

--
False Negatives:

Unknown

--
Corrective Action:

Macromedia (formerly Allaire) has a patch at
http://download.allaire.com/publicdl/en/coldfusion/40/AllaireSecurityBulletin(ASB00-03)New4.0xCfcache.zip

The above patch allows you to specify the target directory for cache 
files.  If you're using <CFCACHE> tags, use the patch parameters to move 
target directory out of the webspace.
--
Contributors:

Documentation - Darryl Davidson <ddavidson at ...1674...>

-- 
Additional References: CVE-2000-0057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0057
Allaire Security Bulletin (ASB00-03)
http://www.macromedia.com/devnet/security/security_zone/asb00-03.html





More information about the Snort-sigs mailing list