Signature Detail

SCAN: Coldfusion cfmlsyntaxcheck.cfm Access

This signature detects access to the cfmlSyntaxCheck.cfm file. Attackers can launch a denial-of-service (DoS) attack against a Web server.

Extended Description

A malicious CFML developer could use undocumented tags and functions to create a web application hosted on the local machine that would give the attacker the ability to perform various unauthorized actions, including registry, database, and security access. This is possible due to certain tags that are available as part of the web administration utility. These tags can be found using the CFdecrypt utility (more information available at http://www.securityfocus.com/vdb/275 ). In 3.0 the most potentially damaging tags are CFAdmin_Registry_GET and CFAdmin_Registry_SET. In 4.0 they are CFNEWINTERNALREGISTRY and CFNEWINTERNALADMINSECURITY. In combination with the cfusion_encrypt() and cfusion_decrypt() functions, these can be used to retrieve and decrypt the admin and studio passwords. With these passwords, they can then use a variety of tools available as part of the web administrtion interface to uploadfiles, retrieve directory listings, etc. The complete list of functions and tags is: ColdFusion 4.0x and 3.x Administrative Functions: CF_SETDATASOURCEUSERNAME() Sets the default user name for a ColdFusion data source CF_SETDATASOURCEPASSWORD() Sets the default password for the ColdFusion data source CF_ISCOLDFUSIONDATASOURCE() Verifies a connection to a ColdFusion data source CF_GETDATASOURCEUSERNAME() Gets the default user name for a ColdFusion data source CFUSION_VERIFYMAIL() Verifies the connection to the default ColdFusion SMTP mail server CFUSION_GETODBCINI() Gets ODBC data source information from the Registry CFUSION_SETODBCINI() Sets ODBC data source information in the Registry CFUSION_GETODBCDSN() Gets the ODBC data source names from the Registry CFUSION_SETTINGS_REFRESH() Refreshes some ColdFusion settings not requiring a restart CFUSION_DBCONNECTIONS_FLUSH() Disconnects all currently connected ColdFusion datasources CFUSION_DECRYPT() 3.x only - decrypt function that decrypts a specific string. Deprecated by the standard Decrypt() function. CFUSION_ENCRYPT() 3.x only - encrypt function that decrypts a specific string. Deprecated by the Encrypt() function. ColdFusion 4.0x Administrative Tags: CFINTERNALDEBUG Used for internal ColdFusion debugging by product development and to PCode templates without executing them (used by the CFML Syntax Checker). CFNEWINTERNALADMINSECURITY Used for updates to Advanced Security information. CFNEWINTERNALREGISTRY Used for registry updates. This tag is identical to the CFREGISTRY tag but by-passes Basic security. ColdFusion 3.x Administrative Tags (deprecated in 4.x): CFADMIN_REGISTRY_SET Used for registry updates, by-passing Basic security. CFADMIN_REGISTRY_SET Used for retrieving registry information, by-passing Basic security. CFADMIN_REGISTRY_DELETE Used for registry updates. This tag is identical to the CFREGISTRY tag but by-passes Basic security.

Affected Products

• Allaire ColdFusion Server 2.0.0
• Allaire ColdFusion Server 3.0.0
• Allaire ColdFusion Server 3.0.1
• Allaire ColdFusion Server 3.1.0
• Allaire ColdFusion Server 3.1.1
• Allaire ColdFusion Server 3.1.2
• Allaire ColdFusion Server 4.0.0
• Allaire ColdFusion Server 4.0.1

References

• BugTraq: 550
• CVE: CVE-1999-0760