COMMAND
Cold Fusion
SYSTEMS AFFECTED
Win NT with CF 3.x and 4.0
PROBLEM
The following message was posted to the Allaire's COLD FUSION
forums. As previously noticed in the thread:
http://forums.allaire.com/devconf/Thread_MessageList.cfm?&&Message_ID=71293
By default, on Windows NT installations, the CF function,
GetTempDirectory may return C:\WINNT. The GetTempPath function
gets the temporary file path as follows:
1. The path specified by the TMP environment variable.
2. The path specified by the TEMP environment variable, if TMP
is not defined.
3. The current directory, if both TMP and TEMP are not defined
Although this is correct, apparently Cold Fusion does more than
wrap the Win32 API in their internal API, so I'm in error - it
works the way it returns C:\WINNT.
This can be exploited with the "Coffe Valley Document Library",
included in the Cold Fusion Installation Examples. This allows
users to upload arbitrary files to the C:\WINNT directory. THIS IS
A SECURITY RISK. C:\WINNT is the second item in the default
WindowsNT path, and this exploit can be used to introduce trojans
into this directory. Even though the Coffe Valley example uses
the CFFILE attribute "MakeUnique", which will not overwrite
existing files with the uploaded-filename, there is still a
security risk in that new executables and DLLs can be introduced.
On a smaller note, the file system could be filled up with garbage
files.
SOLUTION
TEMP is correctly set to C:\TEMP as a User Environment Variable,
but should also be set as a System Environment Variable. It would
also be a really good idea to disable public access to the /CFDOCS
directory on any machine running Cold Fusion (as this is where the
Example Applications reside). The detail of the workaround is as
follows:
Open Control Panel -> Click System Icon
Select Environment Tab
Click on any system environment variable (IMPORTANT)
Click on the Variable textbox and clear its contents
Type in TEMP as the name of the variable in the Variable textbox
Click on the Value textbox and clear its contents
Type in the desired temporary directory path (e.g. D:\TEMP)
Click SET
Click Apply, then OK
You must ReBoot for the change to take effect even though you are
not explicitly warned that this is required. Points to note:
TEMP set to D:\TEMP in system environment TEMP, TMP set to
C:\TEMP in user environment
: Setting the system environment variable TEMP does not appear
to override the user environment variable definition of TEMP
for the currently logged in user. (Only tested with
Programmer's File Editor using Save As ->
'%TEMP%\test.txt'). The file was saved in C:\TEMP.
: The Cold Fusion GetTempDirectory() function will use the
system environment variable TEMP if defined. If not defined
CF appears to use the 'windir' system environment variable
(a.k.a %systemroot%). A test Cold Fusion template reported
the directory D:\TEMP when displaying this CF.variable
(after applying the workaround):
<CFSET TD = GetTempDirectory()>
<CFOUTPUT>#TD#</CFOUTPUT>
: Without having the system TEMP variable set CF reported
C:\WINNT or %systemroot%/'windir' as the expanded variable.
Not C:\TEMP, the user environment variable.
: IMHO- Setting ACL entries on all CF installed web documents
is a highly recommended 'damn good idea'. To be explicit,
set IUSR_machine to 'No Access' on the directories and
propogate through subdirectories. Make sure to add your
valid users to the ACL entries and mention that they will
have to provide a username and password. Note these may be
sent cleartext over the 'Net and be subject to compromise.
Warning: Be Very, Very Carefull when changing permissions.