Path Traversal in Adobe ColdFusion (CVE-2019-8074)
Table of Contents
Background #
Last year I discovered a fairly simple Path Traversal bug in Adobe ColdFusion. Due to the vulnerability being discovered at work and without any source code, details are extremely vague.
A custom web application created with Adobe ColdFusion 2018 had the ColdFusion admin portal whitelisted. Any attempts to go to the admin portal https://example.com/CFIDE/administrator/index.cfm would result in a redirect to the main page of the application.
The idea came from watching a great talk from Orange Tsai on exploiting URL parsers. More info here.
Bug Details #
Using ..;/ it was possible to bypass the whitelisting rule and access the ColdFusion admin portal. For example: https://example.com/..;/CFIDE/administrator/index.cfm
The bug was rated as critical by Adobe, I am unsure if this relates to the Command Injection bug discovered by Badcode of Knownsec 404 Team (CVE-2019-8073) at roughly the same time or if I missed something else completely.
Affected Versions
| Product | Affected Versions | Platform |
|---|---|---|
| ColdFusion 2018 | Update 4 and earlier versions | All |
| ColdFusion 2016 | Update 11 and earlier versions | All |
Fixed Versions
| Product | Updated Versions | Platform |
|---|---|---|
| ColdFusion 2018 | Update 5 | All |
| ColdFusion 2016 | Update 12 | All |
Adobe Security Bulletin: https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html