- Discovered by: Dawid Golunski
- dawid (at) legalhackers.com
- Release date: 31.08.2016
### I. VULNERABILITY
Adobe ColdFusion <= 11 XML External Entity (XXE) Injection
### II. BACKGROUND
"Adobe ColdFusion 11 Enterprise Edition offers a single platform to
rapidly build and deploy scalable, high-performing web and mobile
applications. Leverage unique capabilities to develop, test, and debug
mobile applications end to end. Generate high-quality PDF files and
manipulate them easily."
ColdFusion is widely deployed. A google search for a ColdFusion index file
(index.cfm) exposes over 30 million websites of various sectors that make use
of ColdFusion platform in a visible way:
including various government websites:
### III. INTRODUCTION
An independent research revealed that Adobe ColdFusion in versions 11 and below
is vulnerable to XXE Injection when processing untrusted office documents.
Depending on web application's functionality and the attacker's ability to
supply a malicious document to be processed by a vulnerable ColdFusion
application, this vulnerability may potentially be exploited by both
low-privileged and unauthenticated remote attackers.
This vulnerability can allow various attacks including:
- reading arbitrary files (stored on the server and within the network shares)
- listing web/system directories
- SSRF attacks / unauthorized access to restricted services running on the localhost
as well as within the victim's server network
- SMB relay attacks
- temporary file uploads which may be used by attackers in combination with LFI
vulnerabilities to supply malicious code
This advisory provides a PoC exploit that demonstrates how a remote attacker
could read arbitrary files from the target server, as well as list directories.
Ability to read arbitrary files could for example let attackers extract sensitive
information such as ColdFusion password hashes of the management console or stored
This could allow unauthorized access to weakly protected ColdFusion management
interfaces and let attackers upload malicious code which could be used to fully
compromise the server.
### IV. DESCRIPTION
The XXE vulnerability was found in the Office Open XML (OOXML) processing
functions which are utilised when opening documents that use XML structure.
Documents that are commonly stored in this format include:
- DOCX (Word documents)
- XLSX (Excel spreadsheets)
- PPTX (PowerPoint presentations)
More information about the format can be found in:
The vulnerability is caused by an unrestricted XML parser which allows
for external XML entities processing when parsing such document.
Many web applications often accept OOXML documents from their users to process
documents of various purposes, for example:
- bank statements
- tax forms
- CVs / cover letters
- application forms
Such upload functionality is often exposed to low-privileged or even
unauthenticated remote users.
If an attacker is able to upload a specially crafted OOXML document
which is later processed by an application written in Adobe ColdFusion,
they may be able to perform various malicious actions including
arbitrary file reading and directory listing as mentioned in the
This could for example be used by malicious users to read sensitive
ColdFusion config files such as:
- neo-security.xml , which stores ColdFusion admin's password hash salt
- password.properties , which stores admin's password hash
- neo-datasource.xml , which stores database credentials
that are stored in c:\ColdFusion11\cfusion\lib\ directory by default on Windows
Attackers might also access the application sourcecodes within the documentroot:
or access other sensitive system files available within the system.
As the vulnerability also allows browsing the filesystem and its directories,
attackers may easily find interesting files and ColdFusion config/webroot
directories even if the paths differ from the default ones.
Attackers who have gained access to password hashes could then proceed
to cracking them in order to gain unauthorised access to the databases and
ColdFusion administrator panels to fully compromise the target.
More information on hashes used by ColdFusion 11 can be found in the references
The next section presents a PoC exploit that can be used for file/directory
The exploit will work even if the target ColdFusion application does not return
any data back to the attacker upon processing a malicious document file.
The extracted data will be sent over the network back to the attacker as soon
as the document file is processed.
#### V. PROOF OF CONCEPT EXPLOIT
An example vulnerable ColdFusion application written in CFML language
which loads a spreadsheet document could look as follows:
---[ vulnerable.cfm ]---
<cfspreadsheet format="csv" action="read" src="#expandPath( 'cf_poc_exploit.xlsx' )#" name="xlsdoc" rows="1-4" />
For simplicity, this ColdFusion application will load cf_poc_exploit.xlsx
document from the current directory.
In a real-world situation the application would allow a user to upload a
document from their disk or alternatively fetch it from a URL.
Attacker could use the exploit below to prepare a malicious document and
supply it to a vulnerable ColdFusion application.
For testing purposes only. Do no harm.
Full advisory URL: