Coldfusion Fusebox V4.1.0 Vulnerability

From: N.N.P (version5_at_gmail.com)
Date: 08/03/05

  • Next message: cybertronic_at_gmx.net: "Re: CAID 33239 - Computer Associates BrightStor ARCserve/Enterprise Backup Agents buffer overflow vulnerability"
    Date: Wed, 3 Aug 2005 09:19:06 +0100
    To: bugtraq@securityfocus.com
    
    

    This was discovered by myself over the weekend. I cant find out what
    versions of fusebox this vulnerability is in but seeing as it affects
    the main fusebox page I can only assume it is the latest v4.1.0 and
    possibly some older versions.

    According to the Fusebox site,

    What is Fusebox?
    Fusebox is a standard framework for building web-based applications.
     
    Basically the "fusebox" takes all requests for actions such as
    searching, login etc etc on a site and passes it off to the relevant
    script (check out their site for more info). Normally you see
    something like

    [code]
    http://www.fusebox.org/index.cfm?fuseaction=fusebox.overview[/code]

    Basically this vulnerability allows the execution of JS. For example

    http://www.site.org/index.cfm?fuseaction="><script>document.location="http://silentcode.net"</script>

    Im sure if anyone feels like screwing around with it im sure you'll
    find some other interesting problems with it, the thing is like swiss
    cheese ; )

    Comments and critisisms are welcome.

    Comments:
    Some sites using fusebox are not vulnerable. It appears to be possible
    to set a standard page for errors and some filter out the script tags.
    Also some will work with redirects and normal alert boxes but will
    filter out document.cookie. In cases like these it often proves useful
    to leave in the actual fuseaction. This helps avoid the error in some
    cases. e.g
    http://www.site.org/index.cfm?fuseaction=fusebox.overview"><script>alert(document.cookie)</script><

    Usage:
    The main usage of this vulnerability would be cookie stealing. This is
    achieved by redirecting the user to a php script on a site you control
    with the users cookie as a parameter to the script. Then to avoid
    raising suspicions redirect them back to the page they thought they
    were accessing. Google "cookie stealing" for more info.

    Fix:
    Filtering all input to the fusebox correctly should solve this. As
    well as that setting it to surpress errors and having a default error
    page should also help.

    Googling for allinurl:/index.cfm?fuseaction= will give you an idea of
    how many sites are possibly vulnerable.

    Enjoy,
    NNP

    As a side note, if the server isnt set to surpress errors you can get
    some interesting info such as full path disclosure etc by passing in
    special characters such as ?

    e.g https://site.com/index.cfm?fuseaction=?

    If you want to see an example of what i mean have a look on
    http://silentcode.net/community

    I've posted a vulnerable site there.

    -- 
    http://silentcode.net
    

  • Next message: cybertronic_at_gmx.net: "Re: CAID 33239 - Computer Associates BrightStor ARCserve/Enterprise Backup Agents buffer overflow vulnerability"