[Snort-sigs] Documentation: SID 905

Darryl Davidson ddavidson at ...1674...
Tue Jul 22 15:25:25 EDT 2003


Rule:

WEB-COLDFUSION 'publish' example app application.cfm access

--
Sid:

905

--
Summary:

Attempted to access an Example application on a Coldfusion 4.x server. 
This 'Web Publish Example Script' can be exploited to allow the attacker 
to upload an arbitrary file to the server.

--
Impact:

Serious: The vulnerability allows custom code to be uploaded to the server.

--
Detailed Information:

ColdFusion (Macromedia, formerly Allaire) web servers have several 
default Example applications installed that have vulnerabilities.  The 
'Web Publish Example script' application can be exploited to allow the 
uploading of arbitrary files.

See Macromedia Security Bulletin (MPSB01-08) for complete information.


--
Affected Systems:

ColdFusion versions 2.x, 3.x, 4.x for Windows
ColdFusion versions 4.x for Solaris, HP-UX
ColdFusion versions 4.5.x for Linux
Expression Evaluator Patch (ASB99-01)

--
Attack Scenarios:

The web application allows file uploading via a URL like this:

http://www.target.com/CFDOCS/exampleapps/publish/admin/application.cfm

Once the file has been uploaded, it can be executed by crafting a 2nd 
URL to the uploaded file.

--
Ease of Attack:

Trivial

--
False Positives:

If you're using ColdFusion 4.x's example code, you'll trigger this alert.

--
False Negatives:

Unknown

--
Corrective Action:

Delete all example code.  This is one of several significant 
vulnerabilities that are exploitable if the example code is left on a 
production server.

--
Contributors:

Documentation - Darryl Davidson <ddavidson at ...1674...>

-- 
Additional References:

Macromedia Security Bulletin (MPSB01-08)
http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html






More information about the Snort-sigs mailing list