I agree. It is the insertion method I am intrigued by. It is that type of non linear thinking that we as developers use to create elegant solutions. The tool is ugly, and not that special, but the insertion method is clever.
What I don't understand is why adobe would allow something like the scheduler to be called without authentication. Seems like a glaring oversight to me. Brian Cain On Jan 4, 2013, at 5:16 PM, Justin Scott <leviat...@darktech.org> wrote: > >> The file itself is some tool designed to be used by developers, probably >> not developed by rhe hacker himself. He just found a way to store it on >> servers. > > I've seen this tool make the rounds before through other attack > vectors. It's been around since at least ColdFusion MX 6. The > undocumented servicefactory it's calling to get datasources only works > on CF 6 but was deprecated in 7, if I remember correctly, which is why > the datasource list is blank on more modern versions where this is > dropped in. The script is old, but the insertion method is new. > > > -Justin > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353782 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
