ColdFusion Attacks
In recent days, ScanSafe STAT has been monitoring a series of injection attacks that appear to be the result of attacks on Adobe ColdFusion, an application server framework comparable to ASP.Net, PHP, etc. ColdFusion uses its own scripting language, CFML (ColdFusion Markup Language), the syntax of which is quite similar to HTML/XML. Pages generated by ColdFusion typically have a .cfm extension, or the .cfm inclusions may be contained within standard html pages. A Google query reveals that well over 500 million web pages are generated using ColdFusion – certainly a number that makes ColdFusion a very attractive target for would-be attackers.
In mid-July, the hacker webzine 0x000000.com discussed potential pitfalls, particularly within older versions of ColdFusion, which could lend themselves to potential compromise:
~ Easily discoverable passwords
~ Lack of parameterized query handling
~ Failure to properly escape single quotes
~ Returning error messages that are too verbose
Like standard SQL injection, ColdFusion attacks have been around for years. What appears to have happened now appears to be the same thing that led to the millions of compromises in the ASP/SQL Server attacks - the use of automated tools.
Following are some of the malware domains involved in the recent ColdFusion attacks:
mh.976801.cn
1.verynx.cn
mm.ll80.com
Mary Landesman
3 Comments
Reader Comments (3)
Your article seems to imply that older versions of Coldfusion did not support parametrized queries this is factually incorrect. Coldfusion supported parametrized queries since at least Coldfusion 5 (2001). The problem is a developer problem in that developers did not make use of the cfqueryparam tag which would have prevented this attack.
Further problems stem from URL or FORM parameters not being sanitized and do not specifically imply a weakness in the Coldfusion Server or language but more a problem with uninformed developers.
The overly verbose error messages you allude to as a weakness is a strength during development and can be easily turned off and/or handled correctly by competent developers.
Lastly all pitfalls mentioned above can be traced directly to how a site was developed and not with the specific tool being used. It just so happens in this case that a large number of sites were created with this tool by a large number of unseasoned developers.
If anything it's a pitfall of the language being so easy to learn.
Regards,
Gary Gilbert
Hello there
I wonder if there is any solution you can suggest for the mm.ll80.com problem.I am also facing the same problem on my web server.
It is worth pointing out that these attacks are succesful due to bad coding, and are not a flaw in ColdFusion/CFML.
The CFML language has for many many years supported the cfqueryparam tag which can help to eliminate SQL injection threats.
For anyone needing to fix bad code they might have inherited, there is also a tool which can help by detecting queries which lack the cfqueryparam tag. Anyone interested can download QueryParam Scanner from qpscanner.riaforge.org