Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-vuln-cve2010-2861

Script types: portrule
Categories: intrusive, vuln
Download: http://nmap.org/svn/scripts/http-vuln-cve2010-2861.nse

User Summary

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.

Script Arguments

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap --script http-vuln-cve2010-2861 <host>

Script Output

80/tcp open  http
| http-vuln-cve2010-2861:
|   VULNERABLE:
|   Adobe ColdFusion enter.cfm Traversal password.properties Information Disclosure
|     State: VULNERABLE
|     IDs:  CVE:CVE-2010-2861  OSVDB:67047
|     Description:
|       Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion
|       9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter
|     Disclosure date: 2010-08-10
|     Extra information:
|
|   ColdFusion8
|   HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d
|   Salt: 1329446896585
|   Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
|
|     References:
|       http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
|       http://www.nessus.org/plugins/index.php?view=single&id=48340
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861
|       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861
|_      http://osvdb.org/67047


This script relies on the service being identified as HTTP or HTTPS. If the
ColdFusion server you run this against is on a port other than 80/tcp or 443/tcp
then use "nmap -sV" so that nmap discovers the port as an HTTP server.

Requires


Author: Micah Hoffman

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]