COMMAND

    Cold Fusion

SYSTEMS AFFECTED

    Win NT with CF 3.x and 4.0

PROBLEM

    The  following  message  was  posted  to the Allaire's COLD FUSION
    forums.   As previously noticed in the thread:

        http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293

    By  default,  on  Windows  NT  installations,  the  CF   function,
    GetTempDirectory  may  return  C:\WINNT.  The GetTempPath function
    gets the temporary file path as follows:

        1. The path specified by the TMP environment variable.
        2. The path specified by the TEMP environment variable, if TMP
           is not defined.
        3. The current directory, if both TMP and TEMP are not defined

    Although this is  correct, apparently Cold  Fusion does more  than
    wrap the Win32  API in their  internal API, so  I'm in error  - it
    works the way it returns C:\WINNT.

    This can be  exploited with the  "Coffe Valley Document  Library",
    included in  the Cold  Fusion Installation  Examples. This  allows
    users to upload arbitrary files to the C:\WINNT directory. THIS IS
    A  SECURITY  RISK.  C:\WINNT  is  the  second  item in the default
    WindowsNT path, and this exploit can be used to introduce  trojans
    into this directory.   Even though the  Coffe Valley example  uses
    the  CFFILE  attribute  "MakeUnique",  which  will  not  overwrite
    existing  files  with  the  uploaded-filename,  there  is  still a
    security risk in that new executables and DLLs can be  introduced.
    On a smaller note, the file system could be filled up with garbage
    files.

SOLUTION

    TEMP is correctly set to  C:\TEMP as a User Environment  Variable,
    but should also be set as a System Environment Variable.  It would
    also be a really good idea to disable public access to the /CFDOCS
    directory on any machine running Cold Fusion (as this is where the
    Example Applications reside).  The detail of the workaround is  as
    follows:

        Open Control Panel -> Click System Icon
         Select Environment Tab
         Click on any system environment variable (IMPORTANT)
         Click on the Variable textbox and clear its contents
         Type in TEMP as the name of the variable in the Variable textbox
         Click on the Value textbox and clear its contents
         Type in the desired temporary directory path (e.g. D:\TEMP)
         Click SET
         Click Apply, then OK

    You must ReBoot for the change to take effect even though you  are
    not explicitly warned that this is required.  Points to note:

        TEMP set  to D:\TEMP  in system  environment TEMP,  TMP set to
        C:\TEMP in user environment

        : Setting the system environment variable TEMP does not appear
          to override the user environment variable definition of TEMP
          for  the  currently  logged  in  user.  (Only  tested   with
          Programmer's    File    Editor    using    Save    As     ->
          '%TEMP%\test.txt').  The file was saved in C:\TEMP.

        : The  Cold Fusion  GetTempDirectory() function  will use  the
          system environment variable TEMP if defined. If not  defined
          CF appears to use  the 'windir' system environment  variable
          (a.k.a %systemroot%).  A test Cold Fusion template  reported
          the  directory  D:\TEMP  when  displaying  this  CF.variable
          (after applying the workaround):

        <CFSET TD = GetTempDirectory()>
        <CFOUTPUT>#TD#</CFOUTPUT>

        : Without  having  the  system  TEMP variable set CF  reported
          C:\WINNT or %systemroot%/'windir' as the expanded  variable.
          Not C:\TEMP, the user environment variable.

        : IMHO- Setting ACL entries on all CF installed web  documents
          is a highly  recommended 'damn good  idea'. To be  explicit,
          set  IUSR_machine  to  'No  Access'  on  the directories and
          propogate  through  subdirectories.  Make  sure  to add your
          valid users to  the ACL entries  and mention that  they will
          have to provide a username  and password. Note these may  be
          sent cleartext over the 'Net and be subject to compromise.

    Warning: Be Very, Very Carefull when changing permissions.