Details of flaws within Adobe's ColdFusion software have been brought to light by a security researcher following the issue of a hotfix.
Researcher Dawid Golunski of Legal Hackers privately disclosed the flaw to Adobe as well as the exploit's proof-of-concept.
In an advisory, Golunski said that both versions up to 11 of the product had an XXE Injection vulnerability when processing untrusted office documents.
Golunski said the vulnerability is caused by an unrestricted XML parser which allows
for external XML entities processing when parsing such document.
“Depending on web application's functionality and the attacker's ability to supply a malicious document to be processed by a vulnerable ColdFusion application, this vulnerability may potentially be exploited by both low-privileged and unauthenticated remote attackers,” he said.
He added that vulnerability can allow various attacks including: reading arbitrary files (stored on the server and within the network shares); listing web/system directories; SSRF attacks / unauthorized access to restricted services running on the localhost as well as within the victim's server network; SMB relay attacks; and temporary file uploads which may be used by attackers in combination with LFI vulnerabilities to supply malicious code.
The researcher added that hackers could also use the flaw to read critical ColdFusion configuration files such as neo-security.xml, password.properties, and neo-datasource.xml. These files store sensitive information about the server admin's password salt and hash and database credentials.
“Attackers who have gained access to password hashes could then proceed to crack them in order to gain unauthorized access to the databases and ColdFusion administrator panels to fully compromise the target,” Golunski said.
“The ability to read arbitrary files could, for example, let attackers read ColdFusion password hashes including the management console and database credentials. This could allow unauthorized access to a weakly protected ColdFusion management interfaces and ultimately upload malicious code to compromise the server.”
The flaw saw Adobe issue patches to ColdFusion 10 and 11 installations.Adobe has been forced to issue patches for ColdFusion in the past to address vulnerabilities that could result in information disclosure.