Vulnerability Note VU#437385
PaperThin CommonSpot CMS contains multiple vulnerabilities
PaperThin CommonSpot contains multiple vulnerabilities, which may allow an unauthenticated remote attacker to execute arbitrary code on the server.
PaperThin CommonSpot is a content management system (CMS) that is based on Adobe ColdFusion. CommonSpot is composed of over 3000 individual ColdFusion pages (CFM files). When a web site is created using CommonSpot, most of these pages are exposed to the public internet. CommonSpot contains multiple vulnerabilities with a range of impacts. Server-side vulnerabilities in CommonSpot will run with the privileges of the ColdFusion service, which is SYSTEM by default.
CWE-425: Direct Request ('Forced Browsing')
Most of the vulnerabilities in CommonSpot are exposed because of CWE-425. While the CFM pages that comprise CommonSpot are intended to be used together to provide CMS functionality, many of the individual CFM pages can be accessed directly. Many of these pages also accept untrusted input.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-284: Improper Access Control
CommonSpot inconsistently enforces access control. Many pages can be used by an anonymous actor when accessed directly.
CWE-285: Improper Authorization
In many cases, CommonSpot fails to authorize users before taking potentially-dangerous actions.
CWE-73: External Control of File Name or Path
Some pages that are provided by CommonSpot accept parameters that are fully-qualified filesystem paths.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Some pages that use file names as parameters are vulnerable to directory traversal attacks.
CWE-158: Improper Neutralization of Null Byte or NUL Character
Some pages may terminate an attacker-provided string to be terminated earlier than expected. When combined with CWE-22, this can allow for control of a file path on the same drive as the ColdFusion web root.
CWE-602: Client-Side Enforcement of Server-Side Security
CWE-434: Unrestricted Upload of File with Dangerous Type
CommonSpot can allow authenticated users to upload arbitrary ColdFusion pages, which can allow arbitrary code execution on the server with the privileges of the ColdFusion service.
CWE-472: External Control of Assumed-Immutable Web Parameter
Many CommonSpot pages use ColdFusion variables that can be overriden via the URI (HTTP GET).
CWE-200: Information Exposure
Several CommonSpot pages disclose sensitive information about the server, including server name, filesystem paths, SQL server type and DSNs, administrative email and SMTP server address.
CWE-312: Cleartext Storage of Sensitive Information
CommonSpot by default stores cleartext credentials in its database. Note that this behavior is documented, and it is possible to enable encryption.
CWE-319: Cleartext Transmission of Sensitive Information
The login pages used by CommonSpot transmit credentials in cleartext. If a CommonSpot server is administered over an untrusted network, the administrative credentials may be observed by an attacker.
CWE-548: Information Exposure Through Directory Listing
Some CommonSpot pages expose the ability to obtain an arbitrary directory listing.
CWE-532: Information Exposure Through Log Files
CommonSpot exposes unauthenticated access to its log file directory. If an attacker accesses a guessable file name, additional information about the server can be exposed.
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CommonSpot allows for unauthenticated arbitrary command execution with arbitrary parameters. This command execution happens with the privileges of the ColdFusion service.
Depending on the vulnerabilities exploited, a remote unauthenticated attacker may be able to cause a variety of impacts, up to and including remote code execution on the CommonSpot / ColdFusion server with SYSTEM privileges.
Apply an update
The issues that we reported to PaperThin are addressed in CommonSpot versions 7.0.2, 8.0.3 and 9.0. To help harden CommonSpot against vulnerabilities that may not have been addressed in these updates, please also consider the following workaround:
Restrict access to /commonspot
Most of these vulnerabilities can be mitigated by restricting access to the /commonspot directory on a CommonSpot server. This restriction may be possible on the network layer and/or the web server application layer. Note that by simply restricting access on the internet-facing side of CommonSpot, users on the internal network may still be able to trigger the vulnerabilities, e.g. by clicking on a link. Due to the level of access exposed, CommonSpot contributors must be trusted with SYSTEM-level access to the CommonSpot server.
Vendor Information (Learn More)
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|Paperthin||Affected||07 Oct 2013||14 Apr 2014|
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
14 Apr 2014
Date First Published:
14 Apr 2014
Date Last Updated:
14 Apr 2014
If you have feedback, comments, or additional information about this vulnerability, please send us email.