Evaluating Adobe ColdFusion Security

Please support my articles by clicking on the CLAP button. It doesn’t cost you anything to clap.

What is Adobe ColdFusion?

ColdFusion is a very well known rapid web-application development platform , designed to ease the programming and web application development tasks with database back-end, using a CFML ColdFusion Markup Language scripting engine.

Before we get in to the nuts and blots just a little disclaimer.

Every effort has been made to make this article as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on ”as is” basis. The author shall have neither liability nor responsibility to any person or entity with respect to any losses or damages arising from the reliance to the information contained in this article.

Motivation

ColdFusion is one of the most widely adopted web technologies in the industry.Thousands of governments , educational, financial , and private organizations rely heavily on ColdFusion to deploy their web-applications and provide services.This very accessibility makes it an excellent target for those wanting to attack and exploit information stored within ColdFusion database for any different reasons or intents(3).

According to W3TECHS a web based technology surveys website, “ ColdFusion is used by 0.6% of all the websites whose server-side programming language we know.

In this post we will explore information gathering with different tools and different attacks

Google Pen-Testing

Google Hacking or Pen-Testing is based on the idea that search engines index a lot of public pages and files, making their discovery a simple matter of building the correct query.Many of these queries don’t work as a result of Google changing how they handle searches.The Google Hacking Database (GHDB) is a compiled list of common mistakes web/server admins make, which can be easily searched by using Google. As a result, you can find things like administrator consoles, password files, etc.(4)

Originally created by Johnny Long of Hackers for Charity, The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening reach of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.GHDB is maintained and hosted by Offensive Security(5).

Google Dorking

Finding sites that running Adobe ColdFusion is a matter of running the query inurl:index.cfm in google or any other search engine.About 21,100,000 results came back from websites that are running ColdFusion, which is very stunning.The concern is when the query returns or reports miss-configuration of the server or the application that can leak sensitive information and can be exploited for gain.

Some of the other Dorks available there to aid searching for ColdFusion Sites:

filetype:cfm “cfapplication name” password

• inurl:login.cfm

• intitle:”Error Occurred” “The error occurred in” filetype:cfm

intitle:”ColdFusion Administrator Login“

intitle:”Index of” cfide

Those dorks were chosen as examples as they are recent and have critical information.For example searching for miss-configured sites using the query intitle:”Index of /CFIDE/” administrator entering the ‘administrator’ directory brings up a ColdFusion login screen with the admin username.

Please note your search results could differ from mine due to the fact that some of these dorks might not work as google working very hard to patch most of them.

ColdFusion Attacks

One of the main sources for gaining more understanding about ColdFusion attacks is Common Vulnerabilities and Exposures Websites. They contain good information that can utilized to patch or tune your ColdFusion to increase its security.It’s not the only source but its some thing good to have.some of the sites that I recommend are:

1. https://www.cvedetails.com

2. https://securityfocus.com.

Make sure you check them out!

Let’s go back to the attack vectors that can be utilized against ColdFusion. Some of these common attack vectors can be listed as follows:

1. Information Disclosure

This type of attack aimed at extracting system specific information about the application such as software distribution , version numbers , and patch levels.

2. Cross Site Scripting

Type of attack that involves injecting malicious scripts generally in the form of a browser side script.

3. SQL injection

This where the attacker can execute malicious SQL statements against the database server to provide unauthorized access to sensitive data including passwords , accounts , customer information and more.

4. Admin Interfaces Exposed

The attacker will attempt to exploit admin interfaces that dont have sufficient controls to protect from unauthorized access to gain access to the system application or use it to escalate privileges and extract sensitive data.

Sample Attack

Let’s assume “Organization X” assigned us to pen-test their ColdFusion newly deployed application to find if there any problems with the security.

We start by scanning the server :

We know its running on port 80/443 as any website. Then we can start running NIKTO web-scanner to reveal more information :

We found multiple assumed vulnerabilities by the scan OSVDB-3389 and admin page is accessible for us we will start testing the Admin page vulnerabilities suggested below:

Photo Credit https://nets.ec/Coldfusion_hacking

Once we identify the ColdFusion Version then,in order to find out the password hash we run the file inclusions suggested above against the server to display:

Running hashcat against the password hash file using the password list as follows

Note the above hashcat example applies to this use case , your hashcat options can be different please run the man command to find out more about hashcat and how to use it.

Once access is gained to the admin panel then a web shell can be uploaded and a listener at a remote server will allow the attacker to gain access and attempt to escalate privileges.

It’s crazy as you can all see an attacker can compromise and escalate and use that to get in to your network or servers inside your network.

Summary and Recommendations

ColdFusion is adopted widely by many government and private organizations due to the design simplicity which attracted many developers to learn and use.Learning how to handle the error , and request life cycle during the development process is vital to enhance ColdFusion application security.It’s important to harden and use only the necessary components when deploying the software.

I have to also give credits to the sources and references below.

Sources and References:

  1. https://dl.packetstormsecurity.net/papers/attack/topseven-coldfusion.pdf
  2. http://www.learncfinaweek.com/week1/What_is_ColdFusion_/
  3. https://w3techs.com/technologies/details/pl-coldfusion/all/all
  4. https://security.stackexchange.com/questions/34534/how-to-use-information-from-ghdb-and-fsdb-google-dorks
  5. https://www.offensive-security.com/community-projects/google-hacking-database/
  6. http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf

Writer, Engineer, Cyber security enthusiast ,PhD. Candidate & 4 Open Source write about my day to day experience in Software Data, and Engineering.