It also has an option for cfexecute, and filesetlastmodified, so they could
have covered some of their tracks that way.

If CF is running as local system, they could have done some really bad
things to the system...

~Mahcsig


On Thu, Jan 3, 2013 at 11:05 AM, Dave Watts <dwa...@figleaf.com> wrote:

>
> > My company is running CF8 on IIS.  We have a website that doesn't get
> much use inbetween biannual meetings.
> > I just noticed the following code that was inserted into one of the
> subfolder's index.cfm files.  I'm not seeing any
> > other changes in any other file (yet) and the server doesn't appear to
> have taken a hit, but I'm not even sure what
> > this code is doing, how it got there, and whether it's harmful.
>
> Any code that can write to your server's filesystem is potentially
> harmful. This code appears to do that, along with listing files on
> your filesystem and allowing viewers to download them. Both of these
> things are potentially harmful, unless you explicitly want to do that.
>
> > Next steps (other than yanking out the code, which I've already done)???
>
> Why is CF allowed to write to the web root? If you prevent CF from
> writing files where it generally shouldn't, you can prevent a lot of
> these types of vulnerabilities. Preventing this may involve changing
> CF's login from SYSTEM to a non-privileged user in addition to setting
> filesystem permissions.
>
> I would recommend that you read the excellent CF 9 Lockdown Guide,
> which I think is still on the Adobe site. Then, do the things it says
> to do.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
>
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353746
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to