All,
In case you have not heard... Adobe mentioned this last night...
https://www.adobe.com/support/security/advisories/apsa13-03.html
Essentially, the believe the exploit is already out there and is
actively infecting systems.
However, it can be prevented through access controls on the CFIDE admin
directories.
AFFECTED SOFTWARE VERSIONS
ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX
MITIGATIONS
Adobe recommends ColdFusion customers take the following steps to
mitigate this vulnerability:
* Restrict public access to the CFIDE/administrator, CFIDE/adminapi
and CFIDE/gettingstarted directories by following the hardening
guidance in theColdFusion 9 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
10 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>
* Refer to theColdFusion 9 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
10 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>for
security best practices and further information on these hardening
techniques.
This is the first I have heard of the CFIDE/gettingstarted directory, so
I am assuming that is only on CF10. Another directory that should be
protected but it not mentioned on this exploit(but has been mentioned on
others) is the CFIDE/componentutils directory.
If needed/desired, I can share some simple .htaccess samples for people
that need to protect CF on an apache server...
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------