CFWebstore File Upload Vulnerability

NOTE: Please read my follow-up to this and the recent FCKEditor issues affecting ColdFusion, also if you’re using TinyMCE with the TinyBrowser plugin read this post as well.
There has been a recent outbreak of attacks on servers running the ColdFusion shopping cart CFWebstore, that is allowing the attackers to upload a ColdFusion variant of the C99 shell script. This is giving them full access to your server and it will get compromised if they get that file up there.
Here’s what they do:

  1. Using the /customtags/uploadfile.cfm page, they are spoofing the MIME type to upload index.cfm and image.cfm to /images/accounts directory – these are their web shells (think of them like control panels).
  2. After having these web shells uploaded, things can go one of several ways:
    1. If you have cfexecute/cfregistry disabled, they will likely just inject JavaScript into every site on your server
    2. If you have cfexecute/cfregistry enabled, they will likely attack you with wminotify, this allows them to log and send back home all passwords used to log into the server for remote administration. At this point, you should probably plan to build a new server because this level of compromise is pretty deep and you likely won’t clean it all up.
    3. If you had cfexecute/cfregistry disabled and Sandbox security on each site, then only the CFWebstore site that was attacked will be injected with JavaScript.

So, you’ve been attacked, cleaned things up/rebuilt a server or two, what now? According to the folks at CFWebstore, you need to modify the application.cfm file for your store with this code from their blog. EDIT: More detailed information from CFWebstore. Use the link, not posting it incase something is changed in it. Also, I would suggest upgrading to the newest version as fast as possible for your budget and resources, since version 6, according to CFWebstore, certain upload files in the customtags directory are no longer used and are removed from the code base.
Additional details about the attack:

  • The shell contains many references to seraph, this is likely his/their blog in China
  • It looks like one of seraph’s buddies, chanm is actually doing the attack as I’ve seen Windows users created with the name of chanm$.
  • More info about wminotify.dll from Symantec
  • Read through the comments on Ray Camden’s post about this issue which includes many details from various people’s experience with this attack
  • The attacker is sometimes uploading a JSP file to get around the security layer in ColdFusion, which allows complete bypass of any Sandboxes you already had setup

While this is a specific attack on one application, the lessons learned can be applied to any web application:

  • DO NOT blindly trust the MIME types that are sent by a browser, these are easily spoofed.
  • DO upload outside you web root initially
  • DO additional checks on uploaded files before pushing them live (file extensions should match, use functions like isImageFile() and isPDFFile() in ColdFusion, etc.)
  • DO protect uploads with some sort of login (assuming your business rules preclude the public uploading content to your site)
  • DO disable JSP handling in ColdFusion if you don’t use it, see Adobe instructions.

Edit: Its been a long 2 weeks dealing with these, if I’ve missed something, let me know in the comments.
Last Update: 2 July 2009 12:40 PM

14 thoughts on “CFWebstore File Upload Vulnerability”

  1. Just thought I’d CC the info I posted about this at

    Copied from my original Post…

    I have been banging my head against the wall all day with this.

    Anyway long story short… Those of you that were hit probably have CFWEBSTORE running on your server. Some dipshit in China is using an image upload form to spoof CF into allowing an “index.cfm” file to be uploaded. In my case it was located in “”. The index.cfm file is then accessed through the browser providing complete control of the server.

    It may be in a different location on your server… but the way I located it was to use Textpad to search all *.cfm files containing the string “CFEXECUTE”. Textpad may identify more than 1 *.cfm file containing cfexecute but I promise the file you’re looking for will stand out. Locate this file and open it up with notepad or something. It’s pretty intensive if not impressive.

    After I located the source,

    1) I renamed the index.cfm file to something else for further examination

    2) disabled uploading through CFadmin until I can get a permanent fix put in place.

    Anyway, hope this helps. Cheers.

  2. To add to this – newer versions of cfwebstore don’t seem to be effected, at least the one I was running was not. So it’s a good reminder to keep software installations updated. It also seems that the hack makes use of JSP in CFEnterprise to get around sandboxing so this is criticial to have disabled. It ssems a serious flaw to me that one line of improper code can allow a hacker to bring down an entire server so easily, so it seems we are all learning about locking down CF a little better. Also, the other threads mention FCKeditor as being a vulnerability, both in CF8 and home-grown apps, and being so widely used, there’s no telling how many copies of it are out there, so don’t assume that if you don’t have any cffwebstores that you are safe from this hack, it is definitely finding its way around/.

  3. On the many servers I’ve looked at logs for, I’ve not seen a single one that was compromised via FCKEditor. Not saying it can’t happen, just saying I haven’t seen it yet and doubt the attackers are making use of that. By using CFWebstore, they have a consistent file structure to go after (i.e. /customtags/uploadfile.cfm, et al) whereas going after FCK would basically be a crap shoot of locations for them.

  4. @Brent – I am just going on information posted elsewhere, had someone that didn’t have any cfwebstores have there server attacked so there’s some indication that some other route for the hackers is being used. certainly they’re going to make use of a known exploit as much as possible, but they likely will look for other entries as soon as one get patched, so the warning is simply to not assume this is the only vulnerable area out there.

  5. It doesn’t help that CFWebstore puts the product name in the URL and makes it easily searchable using Google easily identifying a website using this cart as a soft target.

  6. As web developers, we spend a lot of my time and money fighting these terrorist attacks. Unfortunately, our law enforcement is overwhelmed and impotent against this threat, so we are out here on our own shoring up the ramparts. Yea, sure, there are terrorists in Afghanistan, but the real threat exists right here at home. Time to write your congress person… a lot.

    This is affecting our economy and the way we do business. If you ask me, we should block all foreign access to our internet infrastructure until these countries step on the terrorists/hackers that exist within their borders openly attacking us.

    This is no joke, fellow friends in cyberspace. This is the real deal. Flying planes into a couple of buildings in New York was a terrible tragedy and cost us dearly. Over time, however, this terrorist attack has had much greater economic impact. Time to stand up and insist our government protect us from these terrorist attacks. Time to insist other countries comply and help us.

  7. @ Steve – not sure what the heck you are talking about, the product name is not in any URL for any store I have done. In fact, if you use the seo link setting, it would be pretty tough to find an installation on ANY type of search criteria. This whole article is enough of a witch hunt against a product that I have found to be excellenty written and supported in the years I’ve used it (the fact that this hack mainly effected older, out of date stores is convenently buried, and it barely mentions other exploits that were used) so lets not throw false information on top of the fire. The very fact that servers could so easily be attacked by a single roge file is a bit of major security hole on CF that seems to have been just swept under the rug and ignored.

  8. P.S. Of course, the fact that this article specifically gives information about HOW to find a vulnerable store is a major problem to me. Certainly gives other hackers out there clear guidelines in terms of what to look for and I was really shocked that someone would post such information and increase the risk all the more. It should have been sufficient to describe the attack without giving the actual files that were being used and refer people to cfwebstore support if they need more information.

  9. @John,

    The details would be helpful for any server admin to search web logs in order to determine if any type of exploit was even attempted. I do agree with you, the fact that this product is so widely used speaks volumes for its quality and usefulness. Also, CFWebstore put almost the exact information about what files were being hit to affect this. I see no more harm in posting these details here than say on where hackers hang out regularly. Older versions of this software were clearly hit because it has a very large install base and that allowed scripts to be easily created to attack large blocks of IP space at one time without the need for much, if any human intervention.

  10. As I said, you could just refer people to cfwebstore support for details for those that need them. The information was being given on their email support list (which won’t come up on google searches the way this does) and they only posted it to the public blog AFTER this article went up and the fact that the information was already publicly available as a result (they stated that on the list that this is why they were posting it as others on the list warned about posting too much information). And to compare what you did with what hackers do, well that says it all right there doesn’t it?

  11. John P. wrote “so lets not throw false information on top of the fire”. I really agree with this and the fact that so much of what else that was/is going on is left out of this discussion. Efforts by CFWS to keep customers up to date and notify the user base, seem to have been left out of this whole conversation. I used CFWS for many years and other products as a web developer for 15 years or more. It is a given that any complex application, in particular ones offering commerce or handles sensitive data needs to be updated all the time. Some of the people I have talked to mostly complained that they don’t want to buy upgrade. Since the software offers all version number increment updates for free there is no excuse. The software is extremely cost effective when you need to buy a version update. I have seen some pretty big companies that spend millions on software get hacked simply because they tried to save a few bucks by not having a proper managed firewall. And others alter the software in such a way it is no longer safe. The primary version of CFWS that was hacked was written over 5 years ago. Personally I think that store owners and developers, together, need to realize that the hackers out there don’t stop because it is too expensive. And Hosting companies need to be more proactive in notification when something this large starts going around.

    Yesterday I was chatting with someone that seemed to have had the files on his site renamed. From the conversation he was concerned that his host had done it. It seems to me if they went that far they should have notified him. It’s not like the hosting companies can not send individual emails.

    As for the comment from Steve it is just a poor developer or administrator that elects to put their store in a directory with the application name and include it the URL. Just like shared database servers, it blows me away sometimes when I see the names people use, like XYZFinance. Talking about making yourself a target.

    It has been a month now and a lot has been learned. A lot of damage was done due to a lot of factors from some out-of-date files that were exploited in CFWS to FCKeditor. Having had almost the same problem, I’ve learned that hot fixes from Adobe and instructions to prevent more hacks have been released.

    Brent, I read your posts and in this case I just wish it were a bit less slanted to only one party. Maybe next time, or maybe not.
    As I understand you work for one of the hosting companies that got hit pretty hard. You very well may have assisted me in the past. And I am sure you helped fix some of the problems in some way or another. As always the support there is excellent. And for a long time the developer of CFWS has promoted that company.

    AND MORE than anything I hope you will perhaps put a link to today’s post to the “TinyMCE TinyBrowser Plugin Vulnerability” dated 7/28/09 on this entry so people using only CFWS that find this on Google and other searches get the bigger story. And can be prepared.

  12. Although we have followed the instructions on the CFWebstore site, and have restored things back to normal on our webserver.. we are unable to get into our CF Administrator (despite restoring our copy of CF back to one from 2 weeks ago) since the attack. Has anyone else had this issue after the attack? The error is not helpful because robust exception info must be turned on which can’t be turned on without access to the admin:

    The following information is meant for the website developer for debugging purposes.

    Error Occurred While Processing Request
    Invalid token $ found on line 57 at column 111.
    The CFML compiler was processing:

    A cfApplication2ecfm1253482620 tag beginning on line 57, column 83.

  13. @Arias,

    This most likely indicates that your copy of CF admin was injected prior to your restore point. Your best bet is to install the Developer edition on your local computer and copy the CFIDE directory up to your server to get fresh files. Keep in mind that the CF admin is all compiled CF code (using cfcompile) so just doing a search and replace on those files isn’t enough to get them working again.

Leave a Reply

Your email address will not be published. Required fields are marked *