Software Engineering Institute

PaperThin CommonSpot is a content management system (CMS) that is based on Adobe ColdFusion. CommonSpot is composed of over 3000 individual ColdFusion pages (CFM files). When a web site is created using CommonSpot, most of these pages are exposed to the public internet. CommonSpot contains multiple vulnerabilities with a range of impacts. Server-side vulnerabilities in CommonSpot will run with the privileges of the ColdFusion service, which is SYSTEM by default.

CWE-425: Direct Request ('Forced Browsing')
Most of the vulnerabilities in CommonSpot are exposed because of CWE-425. While the CFM pages that comprise CommonSpot are intended to be used together to provide CMS functionality, many of the individual CFM pages can be accessed directly. Many of these pages also accept untrusted input.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Many CommonSpot pages read data from the HTTP request and reflect it back in the HTTP response (Type 1: reflected XSS). In some cases, the reflected data is improperly sanitized, which can allow an attacker to inject HTML elements, such as <script>. In other cases, the reflected data is already within a <script> element, which makes most attempts at sanitization futile. With some pages, some sanitization does take place, such as stripping URI parameters that contain the string "alert". CommonSpot contains instances of CWE-79 that are ColdFusion-based (CFM) as well as pure JavaScript and HTML based. Instances of CWE-79 can be used to steal cookies, which are used for authentication.

CWE-284: Improper Access Control
CommonSpot inconsistently enforces access control. Many pages can be used by an anonymous actor when accessed directly.

CWE-285: Improper Authorization
In many cases, CommonSpot fails to authorize users before taking potentially-dangerous actions.

CWE-73: External Control of File Name or Path
Some pages that are provided by CommonSpot accept parameters that are fully-qualified filesystem paths.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Some pages that use file names as parameters are vulnerable to directory traversal attacks.

CWE-158: Improper Neutralization of Null Byte or NUL Character
Some pages may terminate an attacker-provided string to be terminated earlier than expected. When combined with CWE-22, this can allow for control of a file path on the same drive as the ColdFusion web root.

CWE-602: Client-Side Enforcement of Server-Side Security
Several unsafe CommonSpot operations are restricted on the client side using JavaScript. Because client-side JavaScript is under attacker control, these restrictions are not properly enforced.

CWE-434: Unrestricted Upload of File with Dangerous Type
CommonSpot can allow authenticated users to upload arbitrary ColdFusion pages, which can allow arbitrary code execution on the server with the privileges of the ColdFusion service.

CWE-472: External Control of Assumed-Immutable Web Parameter
Many CommonSpot pages use ColdFusion variables that can be overriden via the URI (HTTP GET).

CWE-200: Information Exposure
Several CommonSpot pages disclose sensitive information about the server, including server name, filesystem paths, SQL server type and DSNs, administrative email and SMTP server address.

CWE-312: Cleartext Storage of Sensitive Information
CommonSpot by default stores cleartext credentials in its database. Note that this behavior is documented, and it is possible to enable encryption.

CWE-319: Cleartext Transmission of Sensitive Information
The login pages used by CommonSpot transmit credentials in cleartext. If a CommonSpot server is administered over an untrusted network, the administrative credentials may be observed by an attacker.

CWE-548: Information Exposure Through Directory Listing
Some CommonSpot pages expose the ability to obtain an arbitrary directory listing.

CWE-532: Information Exposure Through Log Files
CommonSpot exposes unauthenticated access to its log file directory. If an attacker accesses a guessable file name, additional information about the server can be exposed.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CommonSpot allows for unauthenticated arbitrary command execution with arbitrary parameters. This command execution happens with the privileges of the ColdFusion service.

Depending on the vulnerabilities exploited, a remote unauthenticated attacker may be able to cause a variety of impacts, up to and including remote code execution on the CommonSpot / ColdFusion server with SYSTEM privileges.

Apply an update

The issues that we reported to PaperThin are addressed in CommonSpot versions 7.0.2, 8.0.3 and 9.0. To help harden CommonSpot against vulnerabilities that may not have been addressed in these updates, please also consider the following workaround:

Restrict access to /commonspot

Most of these vulnerabilities can be mitigated by restricting access to the /commonspot directory on a CommonSpot server. This restriction may be possible on the network layer and/or the web server application layer. Note that by simply restricting access on the internet-facing side of CommonSpot, users on the internal network may still be able to trigger the vulnerabilities, e.g. by clicking on a link. Due to the level of access exposed, CommonSpot contributors must be trusted with SYSTEM-level access to the CommonSpot server.