Millions of Coldfusion sites need to apply patches
Posted on 12 August 2010.
ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack, knowledge of the admin password is not needed.


A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. According to Adobe’s website ColdFusion is used by Bank of America, JPMorgan Chase, Federal Reserve Bank and The United State Senate not to mention IT Security companies Symantec & McAfee.

Versions tested and found vulnerable:
  • ColdFusion MX7 7,0,0,91690 base patches
  • ColdFusion MX8 8,0,1,195765 base patches
  • ColdFusion MX8 8,0,1,195765 with Hotfix4.
How to patch

Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.

ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-801.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0
1. Download CFIDE-8.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-8.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.





Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //