Tuesday, July 07, 2009

ColdFusion, SaaS, and negligence

Recent headlines have described news pertinent to ColdFusion-related vulnerabilities and hacks specifically targeting the FCKEditor text editing tool, and the CKFinder file management tool. There have been further indications of attackers uploading a ColdFusion web shell as often seen on vulnerable PHP platforms.

These discussions reminded me of two significant pet peeves.
1) ColdFusion error verbosity and how useful it is to attackers.
2) Negligent vendors who do absolutely nothing about security vulnerabilities they've been advised of; worse still, when the vendor is a SaaS provider.

Case in point: WebPublish CMS

I communicated with these folks at multiple intervals via email and telephone from February 20, 2009 until April 23, 2009. It took multiple efforts just to get through as my messages were manually interpreted as "potential SPAM". Trust me, my security advisory language does not trip SPAM filters and is most often easily and well received. Yet, after finally making a connection, I received the classic "we don't have the time and resources to address this issue any time soon." To which I replied with useful resources for mitigation and remediation. My last received communication stated "I will have a look and see if I can incorporate as much as I can." That was two and half months ago.
I think we can agree the tenets of responsible disclosure were followed, yes?
Thus, a seemingly capable, growing SaaS provider quite simply blew me off.

So be it. Here's my favorite example of something they should immediately fix: A cross-site scripting (XSS) vulnerability exhibited in the ColdFusion error page leading to significant information disclosure (ID) while indicating possible SQL injection (SQLi) vulnerabilities. Wow, really?

A screen shot complete with a wee bit 'o appsec humor courtesy of an IFRAME insertion:

Now take this absurdity to the next level.
As many a vendor is prone to doing, WebPublish CMS sites clearly state that "This site is powered by WebPublish".
How helpful.
Try intext:"powered by WebPublish" via Google.
Just a few results, yes?
We'll use a few for further analysis. What do they all have in common?
Yep, all the same IP, as in all on the same server.

Core application vulnerabilities in a primary service offering (SaaS) from one vendor, on one server, affecting hundreds if not thousands of clients.
See the problem?
Negligence, plain and simple.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)


rwnin said...

lol, maybe (hopefully) they're behind a load balancer...

booo@vendors who ignore serious security issues...

nice writeup :)

Rafal Los said...

That's sad. The *only* way these guys could get WORSE is if they displayed the "McAfee Secure" logo :)

On a more serious note... they have zero incentive to care until their customers tell them they need to. Perhaps it's time to have a frank discussion with their customers?


Russ McRee said...

I actual started that little PoC with McAfee Secure in the IFRAME, but couldn't pass on the chance to pay homage to the ASS Cert. Seemed only fitting.
Per the customer outreach concept, I agree. Something needs to be done. The Twittersphere perhaps?

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...