Home page logo

nmap-dev logo Nmap Development mailing list archives

Another NSE to detect Coldfusion servers vulnerable to APSA13-01
From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 14 Jul 2013 02:18:45 -0500

Hi list,

I wanted to share a quick script I had to write for a job where something interesting happened.

They were running Coldfusion 9.0.1 with all patches and hotfixes but yet they still got compromised. After reviewing logs it was obvious that the vulnerability used was the one marked as APSA13-01 (http://www.adobe.com/support/security/advisories/apsa13-01.html). I wasn't sure what was happening since the version banner at the administration panel showed that Coldfusion had all the patches. I reviewed the installation process of the corresponding hotfix (http://www.adobe.com/support/security/bulletins/apsb13-03.html) to make sure all patched files were installed correctly and to my surprise everything was there. The services were restarted too yet Nmap kept telling me the host was vulnerable.

Turns out that Adobe forgot to mention that you also need to visit the administration panel and go to Security->RDS and reset the password (even if RDS is disabled like it was in this case) to complete the installation of the patch. My guess is that there are other system administrators who might have overlooked this and might find the script useful.


description = [[
Attempts to exploit the authentication bypass vulnerability marked as APSA13-01 (http://www.adobe.com/support/security/advisories/apsa13-01.html) to retrieve the administrator's session cookie of Adobe Coldfusion servers.

-- @usage nmap -sV --script http-adobe-coldfusion-apsa1301 <target>
-- @usage nmap -p80 --script http-adobe-coldfusion-apsa1301 --script-args basepath=/cf/adminapi/ <target>
-- @output
-- 80/tcp open  http
-- | http-adobe-coldfusion-apsa1301:
-- |_ admin_cookie: aW50ZXJhY3RpdmUNQUEyNTFGRDU2NzM1OEYxNkI3REUzRjNCMjJERTgxOTNBNzUxN0NEMA1jZmFkbWlu
-- @args http-adobe-coldfusion-apsa1301.basepath URI path to administrator.cfc. Default: /CFIDE/adminapi/

Attachment: http-adobe-coldfusion-apsa1301.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]