Title: Allaire ColdFusion Security Sandbox CFEXECUTE Privilege Escalation Vulnerability
Severity: HIGH
Description:
ColdFusion 4.5 includes Sandbox Security which restricts applications to secure Server Sandboxes, in order to control application access to directories, components, databases, or other resources on the server.
CFEXECUTE is a tag that calls a requested program and waits for the output. The CFOBJECT tag allows you to call methods in COM and CORBA objects. Processes created by CFEXECUTE or CFOBJECT use the 'Windows CreateProcess()' function.
A vulnerability exists in ColdFusion which could allow arbitrary programs to inherit the security settings of ColdFusion SYSTEM privileges, rather than the security context of Sandbox security.
If a program is exectued via CFOBJECT or CFEXECUTE tag the Windows CreateProcess() function will be called, however the function does not retain the Sandbox Security impersonation token. Instead, the function will execute with the permissions of the parent process, in this case the permission level of ColdFusion.
Affected Products:
- Allaire ColdFusion Server 4.5.0
- Allaire ColdFusion Server 5.0.0
References:
- Allaire: JRun Product Homepage
- Microsoft: INFO: Security Context of Child Processes (Q111545)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
