Fwd: New Security Issue with CF

[Steve Artis]

I apologize to the list this was not supposed to be sent.

Sent from my iPhone

Begin forwarded message:

From: Steve Artis st...@artisdesigns.commailto:st...@artisdesigns.com
Date: January 4, 2013, 12:30:16 PM MST
To: cf-talk cf-talk@houseoffusion.commailto:cf-talk@houseoffusion.com
Subject: Re: New Security Issue with CF
Reply-To: cf-talk@houseoffusion.commailto:cf-talk@houseoffusion.com


Yes

Sent from my iPhone

On Jan 4, 2013, at 12:28 PM, Claude Schnéegans 
schneeg...@internetique.commailto:schneeg...@internetique.com wrote:


but i think the way this one works quite ingenious.

I'm not sure if it is as much ingenious as the breach is gross, frankly.
Have you seen how the schedule task could have been set?






~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353775
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Fwd: New Security Issue with CF

[Robert Rhodes]

I looked into this a bit more this morning, and have realized that I may
have gotten very lucky.

In going through the logs again, I see that there were no POSTs to h.cfm.
 So the hacker never logged into h.cfm.  And I see no GETs with a
fuseaction, as described in Charlie's post.

I ran the hacker's script again to confirm that logging in shows a POST in
my logs.  I also tried a some of the non destructive actions he could take,
and found that those caused either a POST or GET+fuseaction.

I think I dodged a bullet here.


-- Forwarded message --
From: Robert Rhodes rrhode...@gmail.com
Date: Thu, Jan 3, 2013 at 12:00 AM
Subject: Re: New Security Issue with CF
To: cf-talk@houseoffusion.com


Thanks.  I saw that afterwards.  I was freaking out a bit there. Still am.
:(

I have gone through the logs on that server (windows 2008 R2 server running
 IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15
different sites.

They all look like this:
2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210
python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171

But on 3 of the sites, he also loaded: help,cfm,
administrator.cfc, mappings.cfm, scheduleedit.cfm, and  scheduletasks.cfm
 but there are no scheduled tasks showing in the administrator.

I checked the CF Administrator log and found nothing.

Fortunately, he missed the one site (none of his crap shows up in its logs)
where there was sensitive information, so assuming he could not traverse
directories, I am hoping I am ok there.

I ran his file (after renaming it), and none of my datasources showed up
(it was an empty select). I am hoping I am good there too. It looks like
his script it needs to be driven by a human (a lot of it is a form).  So I
am hoping that the one hit I see on most of those sites is an automated hit
to see if the script is there, then he was going to come around later and
do his damage -- and he never did.  Wishful thinking right?

I don't see any other signs of trouble anywhere, but am very worried that
something bad has happened that I have just not stumbled on yet.

Any suggestions or advice?  Any place else I should be looking? Am I
fooling my self to think I got lucky here?

I have shut down CF on that server and am now searching all other servers
for h.cfm.  So far nothing.

Tomorrow, I will completely wipe that server and reload it.

-RR


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353742
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm