Millions of users of Adobeâs ColdFusion programming language are at risk of losing control of their applications and websites. Penetration testing company ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack; knowledge of the admin password is not needed.
A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. Richard Brain of ProCheckUp commented âThis is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Procheckup has released an advisory relating to this flaw, though will not publish the exploit code for 7 days giving administrators time to apply the Adobe patches. Procheckup felt it unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches. The full details of the vulnerability can be found on www.procheckup.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336194 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
