<<< Date Index >>>     <<< Thread Index >>>

Coldfusion Fusebox V4.1.0 Vulnerability



This was discovered by myself over the weekend. I cant find out what
versions of fusebox this vulnerability is in but seeing as it affects
the main fusebox page I can only assume it is the latest v4.1.0 and
possibly some older versions.

According to the Fusebox site, 

What is Fusebox?
Fusebox is a standard framework for building web-based applications.
 
Basically the "fusebox" takes all requests for actions such as
searching, login etc etc on a site and passes it off to the relevant
script (check out their site for more info). Normally you see
something like

[code]
http://www.fusebox.org/index.cfm?fuseaction=fusebox.overview[/code]

Basically this vulnerability allows the execution of JS. For example

http://www.site.org/index.cfm?fuseaction=";><script>document.location="http://silentcode.net";</script>

Im sure if anyone feels like screwing around with it im sure you'll
find some other interesting problems with it, the thing is like swiss
cheese ; )

Comments and critisisms are welcome.

Comments:
Some sites using fusebox are not vulnerable. It appears to be possible
to set a standard page for errors and some filter out the script tags.
Also some will work with redirects and normal alert boxes but will
filter out document.cookie. In cases like these it often proves useful
to leave in the actual fuseaction. This helps avoid the error in some
cases. e.g
http://www.site.org/index.cfm?fuseaction=fusebox.overview";><script>alert(document.cookie)</script><

Usage:
The main usage of this vulnerability would be cookie stealing. This is
achieved by redirecting the user to a php script on a site you control
with the users cookie as a parameter to the script. Then to avoid
raising suspicions redirect them back to the page they thought they
were accessing. Google "cookie stealing" for more info.

Fix:
Filtering all input to the fusebox correctly should solve this. As
well as that setting it to surpress errors and having a default error
page should also help.

Googling for allinurl:/index.cfm?fuseaction= will give you an idea of
how many sites are possibly vulnerable.

Enjoy,
NNP

As a side note, if the server isnt set to surpress errors you can get
some interesting info such as full path disclosure etc by passing in
special characters such as ?

e.g https://site.com/index.cfm?fuseaction=?

If you want to see an example of what i mean have a look on
http://silentcode.net/community

I've posted a vulnerable site there.
-- 
http://silentcode.net