Information Leakage in CFMX Admin is a Security Risk

Posted By: Cameron Childress | May 25, 2005 1:04PM
Related Categories: ColdFusion · Security

I just noted today that the login screen for CFMX 6 and 7 includes a version number and patch level. Using this information an attacker can readily identify unpatched machines which are ripe for attack. This is yet another reason to protect your entire CFIDE directory from prying eyes, and perhaps it would be a good idea for Macromedia to remove this information from the administrator login screen in future versions.

Comments (5)

Add Comment ]

Emanuel Costa I could see on CFMX 7 the version number but not on CFMX 6. I supose someone can find out the patch number from the version number or you actually can see the patch level?

# Posted By Emanuel Costa | May 25, 2005 1:17 PM

Cameron Childress I verified this on a dev machine in the office. Viewing the /CFIDE/administrator directory revealed "Version: 6,1,0,63958" where "63958" is the patch level.

# Posted By Cameron Childress | May 25, 2005 1:24 PM

Cameron Childress Actually, on further inspection the version number doesn't appear to change for CFMX7 after applying a cumulative hotfix. However, your version is still advertised to anyone wandering bya nd that directory should still be locked down.

# Posted By Cameron Childress | May 25, 2005 1:36 PM

Jennifer Larkin I don't think that displaying the version number before login on the administrator is a big security risk, although clearly you should not allow unauthorized people to even see the admin. The reason that I don't see it as a risk is that my understanding is that the most prevalent "looking for known vulnerabilities" process has nothing to do with trying to find out which version of CF you use. Many script kiddies and hackers don't even care if you have CF.

What tends to happen is that someone builds a script (or downloads one) that has a list of known vulnerabilities that is basically looped over for each server. The scripts aren't specific to ColdFusion or even to a version of ColdFusion. When the script finds a known vulnerability, it does something. This is all automated-- no person ever goes to the server and looks at a page. In fact, specific servers are usually not targetted either-- randomly generated (or semi-randomly) ip addresses are.

To target a specific version of ColdFusion server based on having viewed the CF Admin would be terribly inefficient.

I'm not saying that it isn't a possible security risk-- it is. But it's not a very realistic hacking scenario, in my opinion. IMNASA where IMNASA = I am not a security admin. :)

For instance, we have a server in our house hacked recently. We have 8 static ip addresses, given out by a host known to give out static IP addresses. People run scripts against their entire IP block because they are static, and then run detection scripts against the members of the block. The script ran looking for known vulnerabilities having no idea what kind of server it was. There was a vulnerable CGI script on the server (not my server) that was detcted by the script, got attacked, and got the machine rootkitted. We could tell from the logs how that had found the vulnerability.

When I worked at a company that got serious about security vulnerabilities, they started testing my servers with the same downloadable scripts that script-kiddies use. This is a pretty standard procedure in the computer security world-- try to attck yourself with the tools that people really use, and see what happens.

# Posted By Jennifer Larkin | May 25, 2005 3:06 PM

Cameron Childress Jennifer,

Everyone has their own level risk that they are comfortable with. A principal guideline in security circles involves hiding any information about what software you are using, and particularly what version you are using.

Script kiddies certainly represent one category of attacker, but that are far from the only type of attacker you should be thinking about and defending against. A well informed and motivated attacker will use any and all information at his or her disposal to attack your network. Products being used and version of those products is considered "low hanging fruit" for these types of attackers and is usually the very first thing done during the research stage of an attack.

Having said all of that, there are many other reasons that the CF admin shouldn't be visibile to the web, and this is certainly not the first.

# Posted By Cameron Childress | May 25, 2005 4:33 PM

Add Comment ]

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)





Leave this field empty:

Categories

coldfusion misc user groups standards security technology flex adobe max sumo fitness coworkingatlanta commonspot version control travel svn robots that rock productivity music bluedragon air wireless san diego javascript webdirections vpn scalability mysql jobs fusebox etech cfeclipse

Recent Posts

Archives By Month