Comments on: ColdFusion directory traversal FAQ (CVE-2010-2861)

By: Zoi

Zoi — Thu, 25 Oct 2012 17:19:01 +0000

I tested this out it doesnt seem to work. I obtained the hash of a ColdFusion 7 system. However passing the hash does not work. I tried several times really fast the whole process. you have some video demonstrating this?

By: Shubham

Shubham — Tue, 04 Sep 2012 12:31:29 +0000

Feel free to look at my automation of this process at http://code.google.com/p/cfide-autopwn/. Currently it supports lists, and can rip hashes via enter.cfm method. Sooner it will support the uploading of a web shell. Great if you want to mass check your servers.

By: mr,prince

mr,prince — Mon, 02 Apr 2012 12:35:27 +0000

pagvac:) The attacker does not need to crack the sha1? yes and NO?

By: anagogue

anagogue — Fri, 14 Jan 2011 16:34:28 +0000

Any hints on what to do with a ColdFusionMX password? Didn’t that use a weaker hash/encryption function than 7/8+?

I assume it should be fairly easily crackable, but need a hint on what to use on it.

By: Ashok

Ashok — Wed, 01 Sep 2010 23:23:18 +0000

Hi ! Thanks for the article ….. I found something wired with Gmail password. For long time I have been using a password with space at the beginning and end of the alphanumerical characters.

e.g- â€ passwd â€ But actually Gmail doesnâ€™t count if there is spaces at the beginning and end of the password. Basically you could use the space character as much as you like at the beginning and end with actual password, still you can sign in. I couldnâ€™t find any article related to this â€¦ But I could exploit this feature(!) at times when some one try to count the number of characters in the password, by adding some spaces.

By: pagvac

pagvac — Tue, 24 Aug 2010 16:11:36 +0000

@Simon: the value of the ‘salt’ parameter expires after a few seconds on the server side (60 seconds IIRC). This means you need perform the steps mentioned in this post within this time window.

Why wouldn’t it work? Think about it, the login form simply hashes the password entered by the user with the value of the ‘salt’ parameter as returned by the application within client-side JS code. You can replicate all these steps yourself without needing to know the plaintext password.

By: BlueThunder Blog » ColdFusion Directory Traversal vulnerability

BlueThunder Blog » ColdFusion Directory Traversal vulnerability — Mon, 23 Aug 2010 23:48:11 +0000

[...] allowing the inclusion of other files from the same disk the CFAdmin section is living on.Â AsÂ Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.Â [...]

By: Simon

Simon — Thu, 19 Aug 2010 14:29:26 +0000

I tested this out with my client and it doesnt seem to work. I obtained the hash of a ColdFusion 8 and 7 system. However passing the hash does not work. I think you must crack it.

By: pagvac

pagvac — Wed, 18 Aug 2010 17:05:16 +0000

Lucas: there are many ways to do this, blocking the URL with a WAF is one of them. Also, you can do it on the web server itself. For instance, on Apache you could add the following to the config file:


Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Just make sure you test the new configuration settings thoroughly before placing the server into production. For instance, some non-admin features rely on access to /CFIDE/ . E.g.: charts (cfchart) requires access to /CFIDE/GraphData.cfm. Take a look at the ColdFusion lockdown guide for more info: http://www.adobe.com/products/....._wp_ue.pdf

By: Lek in ColdFusion kaapt webservers » QTA Nieuws

Lek in ColdFusion kaapt webservers » QTA Nieuws — Wed, 18 Aug 2010 14:16:32 +0000

[...] daarmee de analyse van hacker Adrian Pastor die vrijdag al stelde dat het ColdFusion-lek kritiek is en niet slechts 'belangrijk'. Exploitcode voor dit lek is inmiddels publiekelijk beschikbaar. Adobe heeft maandag nog een [...]

By: Vulnerabilidad en Cold Fusion de Adobe mas critica de lo que se cree | OpenSecurity

Tue, 17 Aug 2010 15:28:32 +0000

[...] usuarios deberÃan instalar una actualizaciÃ³n de seguridad. Existe mÃ¡s informaciÃ³n en el Blog GnuCitizen con mÃ¡s detalles sobre esta [...]

By: pagvac

pagvac — Tue, 17 Aug 2010 14:07:15 +0000

Jones: once you upload the cfm backdoor, you should be able to delete any files (SYSTEM privs by default), including the backdoor itself. After all, you can run arbitrary commands. E.g. del \ColdFusion8\wwwroot\cfexec.cfm

By: ColdFusion vulnerability more critical than first thought

ColdFusion vulnerability more critical than first thought — Tue, 17 Aug 2010 11:50:56 +0000

[...] highest priority to installing the security update. A FAQ page on security blog GnuCitizen provides further information on workarounds. Source: [...]

By: Lucas

Lucas — Tue, 17 Aug 2010 10:30:49 +0000

Hi, just wonder why can’t I just block entire CFIDE folder to anyone except one IP? Can that screw something? Cheers!

By: Jones

Jones — Tue, 17 Aug 2010 07:11:31 +0000

How would you delete a uploaded file to a exploited server? Im currently testing this in my lab at home. but i cant seem to figure out how to delete all uploaded scripts.

By: Adobe ColdFusion’s Directory Traversal Disaster « ColdFusion Developers Network

Mon, 16 Aug 2010 13:04:07 +0000

[...] why I think this is a big mistake … on top of the excellent analysis Adrian has already done (check his excellent post here) I think it’s relevent to do a little digging yourself to understand the full scope of the [...]

By: pagvac

pagvac — Sun, 15 Aug 2010 21:34:19 +0000

@Niels: didn’t think of that TBH. Excellent point! I haven’t tested it but should definitely work. This would make cracking the SHA1 hash totally unnecessary!

@sunjester: ;D

By: Niels Teusink

Niels Teusink — Sat, 14 Aug 2010 16:49:47 +0000

Thanks for the article Adrian! I have one addition: An attacker does not need to crack the SHA1-hash. The CF8 login screen does this: onSubmit="cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));"

This allows attackers to authenticate using the hash instead of cracking it.

By: sunjester

sunjester — Sat, 14 Aug 2010 06:35:53 +0000

Maybe Adobe hires new guys.. lol