CVE-2020-15929
📋 TL;DR
CVE-2020-15929 is a critical path traversal vulnerability in Ortus TestBox that allows unauthenticated attackers to write arbitrary CFM files containing malicious CFML code. This leads to remote code execution within the application context. Organizations using TestBox versions 2.4.0 through 4.1.0 for testing ColdFusion applications are affected.
💻 Affected Systems
- Ortus TestBox
📦 What is this software?
Testbox by Ortussolutions
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, and pivot to other systems.
Likely Case
Remote code execution leading to data exfiltration, credential theft, and deployment of web shells for persistent access.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and patched systems preventing exploitation.
🎯 Exploit Status
Exploit requires no authentication and is trivial to execute. Public exploit code is available and weaponized in automated attack tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0 and later
Vendor Advisory: https://ortussolutions.com/products/testbox
Restart Required: Yes
Instructions:
1. Upgrade TestBox to version 4.2.0 or later. 2. Remove or restrict access to older vulnerable versions. 3. Restart the ColdFusion/Lucee service after upgrade.
🔧 Temporary Workarounds
Restrict access to HTMLRunner.cfm
allBlock or restrict access to the vulnerable endpoint via web server configuration or application firewall.
# Apache: RewriteRule ^system/runners/HTMLRunner\.cfm - [F,L]
# Nginx: location ~ /system/runners/HTMLRunner\.cfm { deny all; }
# IIS: Add request filter rule to block /system/runners/HTMLRunner.cfm
Input validation filter
allImplement input validation to sanitize query parameters before processing.
# In Application.cfc or similar: this.onRequestStart = function(targetPage){ if(findNoCase('HTMLRunner.cfm', arguments.targetPage)){ var params = getHTTPRequestData().content; // Add validation logic here } }
🧯 If You Can't Patch
- Immediately restrict network access to TestBox instances using firewall rules to allow only trusted IPs.
- Monitor system/runners/HTMLRunner.cfm endpoint for suspicious access patterns and implement WAF rules to block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if TestBox version is between 2.4.0 and 4.1.0 by examining the application files or version metadata.Check Version:
# Check TestBox version in ColdFusion admin or examine /testbox/system/TestBox.cfc for version metadataVerify Fix Applied:
Verify TestBox version is 4.2.0 or later and test that the HTMLRunner.cfm endpoint no longer accepts malicious parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /system/runners/HTMLRunner.cfm with file write parameters
- Unexpected CFM file creation in application directories
- ColdFusion/Lucee error logs showing file write attempts
Network Indicators:
- HTTP requests containing malicious CFML code in parameters to TestBox endpoints
- Outbound connections from TestBox servers to suspicious IPs post-exploitation
SIEM Query:
source="web_server_logs" AND (uri="/system/runners/HTMLRunner.cfm" AND (param="file" OR param="content"))