ColdFusion

Discovery

Method

Description

Port Scanning

ColdFusion typically uses port 80 for HTTP and port 443 for HTTPS by default. So, scanning for these ports may indicate the presence of a ColdFusion server. Nmap might be able to identify ColdFusion during a services scan specifically.

File Extensions

ColdFusion pages typically use ".cfm" or ".cfc" file extensions. If you find pages with these file extensions, it could be an indicator that the application is using ColdFusion.

HTTP Headers

Check the HTTP response headers of the web application. ColdFusion typically sets specific headers, such as "Server: ColdFusion" or "X-Powered-By: ColdFusion", that can help identify the technology being used.

Error Messages

If the application uses ColdFusion and there are errors, the error messages may contain references to ColdFusion-specific tags or functions.

Default Files

ColdFusion creates several default files during installation, such as "admin.cfm" or "CFIDE/administrator/index.cfm". Finding these files on the web server may indicate that the web application runs on ColdFusion.

$ nmap -p- -sC -Pn 10.129.247.30 --open

Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-13 11:45 GMT
Nmap scan report for 10.129.247.30
Host is up (0.028s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown
/CFIDE/ in port 8500 and .cfm files

Exploitation

Directory Traversal (CVE-2010-2861, version <= 9.0.1)

  • CFIDE/administrator/settings/mappings.cfm

  • logging/settings.cfm

  • datasources/index.cfm

  • j2eepackaging/editarchive.cfm

  • CFIDE/administrator/enter.cfm

[cf_root]/lib/password.properties is a file that contains the key value pairs of encrypted passwords

Remote Code Execution (CVE-2009-2265, version <= 8.0.1)

  • searchsploit -m 50057

Notable Exploits

  1. CVE-2021-21087: Arbitrary disallow of uploading JSP source code

  2. CVE-2020-24453: Active Directory integration misconfiguration

  3. CVE-2020-24450: Command injection vulnerability

  4. CVE-2020-24449: Arbitrary file reading vulnerability

  5. CVE-2019-15909: Cross-Site Scripting (XSS) Vulnerability

Other Notes

ColdFusion default ports

Port Number
Protocol
Description

80

HTTP

Used for non-secure HTTP communication between the web server and web browser.

443

HTTPS

Used for secure HTTP communication between the web server and web browser. Encrypts the communication between the web server and web browser.

1935

RPC

Used for client-server communication. Remote Procedure Call (RPC) protocol allows a program to request information from another program on a different network device.

25

SMTP

Simple Mail Transfer Protocol (SMTP) is used for sending email messages.

8500

SSL

Used for server communication via Secure Socket Layer (SSL).

5500

Server Monitor

Used for remote administration of the ColdFusion server.

PreviousThick Client ApplicationsNextIIS

Last updated