cfexecute

Quick Note About IIS 7.5 FTP Virtual Hosts

Mon, 26 Oct 2009 06:20:12 GMT

With the release of IIS 7.5 (available in Windows Server 2008 R2 and Windows 7), FTP is finally re-integrated into the main IIS Manager. Those of you still using 7.0 know that you need to use the IIS 6 Manager to manage FTP sites. One of the great new features in IIS 7.5 FTP is the ability to setup virtual hosts for FTP (multiple FTP sites on port 21 with the same IP) similar to how you would setup web sites with host headers in IIS. One of the trip ups when you attempt to log in to FTP is the user name needs to include the virtual host name. Consider the following setup:

Notice that one of the bindings is ftp:192.168.1.101:21:cfbeam.localhost, when you actually connect with an FTP client the username needs to be entered as:

VirtualHost|UserName

Notice the pipe (|) between the virtual host and the user name. Assuming you don't put that in, you'll likely see the following in the IIS FTP logs and in your FTP client:

Response:    220 Microsoft FTP Service
Command:    USER brent
Response:    530-Valid hostname is expected.
Response:    Win32 error:   No such host is known.
Response:    Error details: Hostname didn't match any configured ftp site.
Response:    530 End
Error:    Could not connect to server

For more information on configuring virtual hosts in IIS 7.5 see http://learn.iis.net/page.aspx/320/using-ftp-virtual-host-names/

ColdFusion 8/9 64-bit Unable to Load Library Error

Tue, 20 Oct 2009 00:16:56 GMT

As more developers begin to move their clients to 64-bit operating systems and 64-bit ColdFusion, you will likely encounter the following error message:

Unable to load library C:\ColdFusion8\cfx\[tagname].dll

This indicates that the dll for this tag was compiled for 16-bit systems only, which worked fine on 32 bit systems because there was a 16 bit to 32 bit compatability layer. However, the newer Windows 2008 builds no longer support such compatability and would only support 32 bit tags and up. So far, for most of the occurances I've seen of this, they are on older tags where the original publisher no longer exists so I am not holding out for 64-bit versions. Luckily, most of the functionality that needed to be provided in a cfx tag is now built in to ColdFusion 8 and 9.

TinyMCE TinyBrowser Plugin Vulnerability

Tue, 28 Jul 2009 20:42:12 GMT

After the FCKEditor vulnerability that was patched by Adobe a few weeks ago, it turns out that a plugin for TinyMCE is also exploitable for remote file uploads that could be used to gain malicious access to the server hosting your application.

The details of this particular exploit are posted at Milw0rm (http://www.milw0rm.com/exploits/9296). Keep in mind this only affects the TinyBrowser plugin and not TinyMCE, so if you just have a default TinyMCE without this plugin you should be ok.

That being said, some general security tips as usual:

Always upload outside the web root initially and perform additional checks on those files prior to making them web accessible. If you cannot access a location outside the root of your site (shared hosting) have you hosting provider adjust permissions on a temporary folder in your web root to disallow those files from being served (by the web server) but can still be accessed by your application.
Keep any upload scripts behind an authentication scheme, whether it be HTTP authentication (a pop-up password box) or with something like cflogin. Make sure you test that these files cannot be accessed without first being logged in, you make think "OK, you need to log in to the /admin/ directory" but, can you still access /admin/tinymce/, etc. without logging in?
Use secure passwords. I can't say this enough, I've seen MANY applications where the administrator is admin/admin or admin/admin123, which are the first things that an attacker (more likely their scripts and software) are going to attempt. I have seen a bit of a surge in brute force attempts on admin login screens recently - many of them successful because the passwords were woefully insecure.
Define a password policy. Set things like password length and complexity as part of the business logic of your application and use regular expressions to enforce them. Another good idea, is to log every login failure (keep things like CGI.QUERY_STRING and CGI.REMOTE_ADDR so you know where these request are coming from). If you want to go a step ahead of simple logging, send alerts on each password failure with the same information. You could even keep track of failed logins and lock the user for a period of time after x failed log in attempts. While these things may add a bit of time and complexity to your development cycles they could very well save you hundreds of thousands of dollars and man-hours in the future.

Recent ColdFusion Vulnerabilities Follow-Up

Sat, 11 Jul 2009 08:44:00 GMT

For about three weeks now, ColdFusion servers have been under attack making use of one of two exploits, one in older versions of an application written in ColdFusion and some through the built in FCKEditor. Both of these issues have an active fix and should be handled with the utmost priority.

FCKEditor

When Adobe initially shipped ColdFusion 8.0 it included the FCKEditor, which was enabled when using <cftextarea richtext="true">. In version 8.0, the built in FCKEditor file manager and uploader were disabled. While there was a post about enabling them, most developers didn't use these features much, either because they would rather handle file uploads separately. However, when the upgrade to 8.0.1 was released, Adobe enabled file uploads by default on the FCKEditor instance.

It was determined that an attacker could access the upload files directly and by using some form of spoofing, get files uploaded to the server that could potentially allow compromise of Windows security.

To correct this, there are two fixes. The first is simply to edit the config.cfm file at \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm to disable uploads [see]. Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers [link].

CFWebstore

As I mentioned in my last post, users who were running older versions of CFWebstore could also be vulnerable due to a few upload scripts that are accessible directly and can be susceptible to file spoofing. It's important to note that CFWebstore responding very quickly providing a temporary fix to prevent access to the upload files. They also released a more detailed description of what exactly was happening to servers which was compiled from many user's experiences described on their mailing list.

Staying on Top of Things

So how can you stay on top of these sort of issues in the future? My first recommendation is to subscribe to as many ColdFusion related blogs as possible, at least start with the ColdFusionBloggers.org feed. Second, join any related forums or mailing lists related to any applications you are running. Third, try to keep your software as up-to-date as possible, the longer software is in the wild, to more likely someone with lots of time on their hands has found some way of exploiting even the smallest hole to create a very large hassle for you. Lastly, keep an eye on SANS Internet Storm Center which posts up and coming vulnerabilities that are being learned of and patched, this includes everything from Apple products, web applications, and Windows issues.

Additional Resources

Adobe's Security Response Blog (http://blogs.adobe.com/psirt/)
Adobe's Security Response Process (http://blogs.adobe.com/asset/2009/01/adobe_psirt_process_1.html)
ColdFusion 8 Hot Fixes (http://kb2.adobe.com/cps/402/kb402604.html)
Adobe Secuirty Bulletins and Advisories - all products (http://www.adobe.com/support/security/)
CFWebstore's Blog (http://blog.cfwebstore.com/)
CFWebstore's E-mail List (http://tech.groups.yahoo.com/group/cfwebstore5/)
SANS Internet Storm Center (https://isc.sans.org/)

Theme

Sat, 11 Jul 2009 08:26:37 GMT

Had to change the theme as I couldn't stand that links in my posts were barely visable with the old theme.

CFWebstore File Upload Vulnerability

Wed, 01 Jul 2009 22:13:10 GMT

NOTE: Please read my follow-up to this and the recent FCKEditor issues affecting ColdFusion, also if you're using TinyMCE with the TinyBrowser plugin read this post as well.

There has been a recent outbreak of attacks on servers running the ColdFusion shopping cart CFWebstore, that is allowing the attackers to upload a ColdFusion variant of the C99 shell script. This is giving them full access to your server and it will get compromised if they get that file up there.

Here's what they do:

Using the /customtags/uploadfile.cfm page, they are spoofing the MIME type to upload index.cfm and image.cfm to /images/accounts directory - these are their web shells (think of them like control panels).
After having these web shells uploaded, things can go one of several ways:
1. If you have cfexecute/cfregistry disabled, they will likely just inject JavaScript into every site on your server
2. If you have cfexecute/cfregistry enabled, they will likely attack you with wminotify, this allows them to log and send back home all passwords used to log into the server for remote administration. At this point, you should probably plan to build a new server because this level of compromise is pretty deep and you likely won't clean it all up.
3. If you had cfexecute/cfregistry disabled and Sandbox security on each site, then only the CFWebstore site that was attacked will be injected with JavaScript.

So, you've been attacked, cleaned things up/rebuilt a server or two, what now? According to the folks at CFWebstore, you need to modify the application.cfm file for your store with this code from their blog. EDIT: More detailed information from CFWebstore. Use the link, not posting it incase something is changed in it. Also, I would suggest upgrading to the newest version as fast as possible for your budget and resources, since version 6, according to CFWebstore, certain upload files in the customtags directory are no longer used and are removed from the code base.

Additional details about the attack:

The shell contains many references to seraph, this is likely his/their blog in China
It looks like one of seraph's buddies, chanm is actually doing the attack as I've seen Windows users created with the name of chanm$.
More info about wminotify.dll from Symantec
Read through the comments on Ray Camden's post about this issue which includes many details from various people's experience with this attack
The attacker is sometimes uploading a JSP file to get around the security layer in ColdFusion, which allows complete bypass of any Sandboxes you already had setup

While this is a specific attack on one application, the lessons learned can be applied to any web application:

DO NOT blindly trust the MIME types that are sent by a browser, these are easily spoofed.
DO upload outside you web root initially
DO additional checks on uploaded files before pushing them live (file extensions should match, use functions like isImageFile() and isPDFFile() in ColdFusion, etc.)
DO protect uploads with some sort of login (assuming your business rules preclude the public uploading content to your site)
DO disable JSP handling in ColdFusion if you don't use it, see Adobe instructions.

Edit: Its been a long 2 weeks dealing with these, if I've missed something, let me know in the comments.

Last Update: 2 July 2009 12:40 PM

Spoofing MIME Types with ColdFusion and CFHTTP

Sat, 27 Jun 2009 22:58:31 GMT

Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.

First, we're going to write a quick file upload script:

<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'> <cfinput type='file' name='FileUpload' required='yes' message='Select a file to upload.' /> <cfinput type='submit' value='Upload File' name='submit' /> </cfform>

Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:

<cfif isDefined('fileUpload')> <cffile action='upload' fileField='fileUpload' destination='C:\path\to\upload' accept='image/jpeg,image/gif' nameconflict='makeunique'> Thankyou, your file has been uploaded. <a href='/'>Return Home</a> </cfif>

Now for the fun part, we're going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:

<cfhttp url='http://example.com/uploadact.cfm' method='post'> <cfhttpparam type='formfield' value='Upload File' name='submit'> <cfhttpparam type='file' name='FileUpload' file='C:\Path\To\test.cfm' mimetype='image/jpeg'> </cfhttp>

Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server. So follow the following tips:

If you have an Enterprise license, use Sandbox Security. This will limit each site to its own set of directories and data sources.
Disable cfexecute and cfregistry. If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site's directory. Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
Disable JSP (Adobe Instructions) if you don't actually use it. Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP's don't follow Sandboxes, so even if they are setup they are of no use.
Run ColdFusion as another user (Adobe Instructions). Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)

Jason Dean's Security Series

Tue, 24 Mar 2009 01:07:04 GMT

Jason over at 12Robots.com has been writing a really great series of articles about secure application development for quite some time. Since I haven't seen them all in one index, I threw up links to all the articles on this page.

I'm pretty sure I got them all from Jason's site, but if I did just let me know in a comment.

ColdFusion Stops Serving After a Few Requests

Tue, 17 Mar 2009 01:21:39 GMT

Just had an issue where ColdFusion would only serve a few requests before locking up and sending constant 503 errors. Turns out there were almost 200k files in C:\Coldfusion8\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp. So, to fix this I stopped ColdFusion, renamed wwwroot-tmp to wwwroot-tmp2 and make a new wwwroot-tmp. Once ColdFusion was started it ran like a champ again. My theory is the disk I/O was killing CF when it was looking for a chached file.

cfimage CAPTCHA Timer already cancelled

Fri, 06 Feb 2009 20:25:34 GMT

I've been running into this error more often lately. Customers using cfimage to create a captcha image will sometimes get the following error when creating the image:

java.lang.IllegalStateException: Timer already cancelled.

It appears this is realted to Java not having enough memory to create an image, yet ColdFusion still has enough to run and serve pages, which means you have to restart ColdFusion at that point.

Anyone else run into this, or know of a way to prevent it?

ColdFusion Verity - Unable to create temporary file

Sat, 24 Jan 2009 18:26:24 GMT

While working on a ticket today, I came across an interesting error message while trying to index or refresh a Verity collection.

Unable to create temporary file java.lang.SecurityException: Unable to create temporary file at java.io.File.checkAndCreate(File.java:1701) at java.io.File.createTempFile(File.java:1793) at coldfusion.tagext.search.IndexTag.doQueryUpdate(IndexTag.java:702) at coldfusion.tagext.search.IndexTag.doStartTag(IndexTag.java:160) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661) at cfindexverity2ecfm902179424.runPage(C:\Websites\41334eae\indexverity.cfm:32) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661) at cfApplication2ecfc1112783929$funcONREQUEST.runFunction(C:\Websites\41334eae\Application.cfc:205) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:360) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:59) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:192) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:448) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:308) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:74) at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:243) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:269) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.CfmServlet.service(CfmServlet.java:175) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at com.seefusion.Filter.doFilter(Filter.java:49) at com.seefusion.SeeFusion.doFilter(SeeFusion.java:1471) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Truns out that if you are using Sandbox Security you'll need to add the value of the GetTempDirectory function to your Sandbox with read and write permissions and it will start working again.

cfimage CAPTCHA Not Displaying

Sun, 18 Jan 2009 02:55:18 GMT

You may occassionally run into a problem with ColdFusion and IIS where your CAPTCHA images created by cfimage are simply blank and look like they don't exists. Assuming you don't have a corrupt installation, the following instructions will help fix this.

Open IIS
Expand the server your working with by clicking the plus sign and goto the properties for "Web Sites"
In the Home Directory tab click on "Configuration"
You should now be on the "Application Configuration" screen, select the Wildcard Mapping at the bottom which goes to cfroot/runtime/lib/wsconfig/1/jrun_iis6_wildcard.dll and hit Edit
Make sure "Verify that file exists" is unchecked and hit OK until your back to the IIS Manager.

This should correct any issues you had with cfimage and many other tags that also create things "on the fly" in ColdFusion.

Getting Support to Answer your Question the First Time

Tue, 16 Dec 2008 04:13:18 GMT

We've all been there, something has stumpped us or is simply out of our control and we need to contact support. But how do you ensure that they will fix your problem or give you the correct answer with a bunch of back-and-forth, simple:

When you email support, make sure you use a descriptive title.
If I had a nickel for every email I've seen that simply has the title "Error" or "Help" I wouldn't need to work anymore. Make your title concise but descriptive for example: "ColdFusion Form Validation not Working"
This gives technicians looking through their queues a good idea of what you need help with, giving you a higher chance of getting looked at first.
Include any relevant information about your account (i.e. domain name, account numbers, etc)
The idea here is to have the technician locate and identify your account as fast as possible. Again, I've had to email a number of customers because I simply cannot locate there account with any of the information provided.
Include as much information in your request as you can. For example, sending in a DNS update is probably fine if you just put what DNS record and the new value. But, something where you are getting errors, it helps to have the exact steps that got you to that error. We do this everyday and have probably seen the same or similar message before and hopefully will be able to fix it fast if we know where to start.
Be honest! This last one is important, I once had a customer who accedentally ran rm -rf / on his Linux server, but canceled it very quickly when he realized what happend. He was very upfront about what happened, and consequently, we were able to get things restored within an hour or so. Whereas, if the customer had been evasive and just said "things are not working" who knows how long it could have taken to determine they deleted 1/4 of their file system.

ColdFusion Redirects

Sun, 23 Nov 2008 21:25:57 GMT

If you don't have access to mod_rewrite or an isapi rewrite plugin, you may be forced to use some of the built in ColdFusion functions to force a redirect. Today I had a customer who wanted to force all traffic through the www. portion of their domain. Examples of doing this are below:

Application.cfc

You'll want to do this on your onRequestStart function so it gets checked on every page

The benefit of this method is that it should work equally well with subdomains and URL parameters attached.

Application.cfm

You can use the same thing as above in an Application.cfm file, just put it by the top so its processed first.

ColdFusion Duplicate Application Names

Mon, 10 Nov 2008 20:51:06 GMT

I had to help a customer today that was having an issue where variables he set in his application.cfm in a sub-folder were not being set. This was causing all kinds of issues, like the wrong DSN being used which caused issues on database updates. Turns out he had a similar application.cfm in his admin folder, so I checked that out. What I found was that the admin one had a name of "SiteNameAdmin" but the secure folder (which was having issues) was simply "SiteName" the exact same as the root of his site. So, I changed the name and voila it worked perfectly.

More Reading

Ray Camden has a great blog post about this same issue:
http://www.coldfusionjedi.com/index.cfm/2007/4/12/Duplicate-Application-name-issue