Security Advisories | Cross-site Scripting | Cross site scripting in Coldfusion MX Server Administrator Menu Vulnerability

Vendor: Macromedia
Product Affected: Cold Fusion MX Server 6.1 and prior
Type: Cross-Site Scripting
Severity: Medium
Date released: 20th October 2004

Overview
The Nortel Networks Contivity VPN Client authentication error message provides more information than is necessary.

I. Description
The cross-site scripting bug can be executed URL like so:
http://172.16.0.27:8500/CFIDE/componentutils/componentlist.cfm?package=<script>alert(document.cookie)</script> 
What makes the issue a little more serious than usual is that the cookie contains not just the administrator's current session ID, but also his obfuscated password. This obfuscation is trivial to defeat.

II. Impact
The loss of the session ID allows an attacker to impersonate the administrator during the particular session. However, by ferreting out the obfuscated password, the attacker can easily decipher the original password, and thus gain permanent access to the Administrator account, and take complete control of the Coldfusion server.

III. Solution
Apply the patch in the Macromedia security bulletin:
http://www.macromedia.com/support/coldfusion/downloads_updates.html

Workaround
IP-based access control limiting access to the administrator interface only to trusted hosts

Vendor's Response
Apply the comprehensive security update for Macromedia Coldfusion MX Server 6.1
http://www.macromedia.com/support/coldfusion/downloads_updates.html

Systems Affected
Nortel Networks Contivity VPN Client



Advisory Listing

SQL Injections

Buffer Overflows

Information Disclosure, Path Disclosure

Denial of Service

User Enumeration

Password Disclosure

Network Intelligence (I) Pvt. Ltd. © 2004 | Copyright | Disclaimer
info@niiconsulting.com