[ACFUG Discuss] FYI - Security Advisory for ColdFusion - Active zero day exploit

Thu, 09 May 2013 00:54:44 -0700 

All,

In case you have not heard... Adobe mentioned this last night...

https://www.adobe.com/support/security/advisories/apsa13-03.html
Essentially, the believe the exploit is already out there and is actively infecting systems.
However, it can be prevented through access controls on the CFIDE admin directories. 



      AFFECTED SOFTWARE VERSIONS

ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX


      MITIGATIONS
Adobe recommends ColdFusion customers take the following steps to mitigate this vulnerability: 

  * Restrict public access to the CFIDE/administrator, CFIDE/adminapi
    and CFIDE/gettingstarted directories by following the hardening
    guidance in theColdFusion 9 Lockdown Guide
    
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
    10 Lockdown Guide
    
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>

  * Refer to theColdFusion 9 Lockdown Guide
    
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
    10 Lockdown Guide
    
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>for
    security best practices and further information on these hardening
    techniques.
This is the first I have heard of the CFIDE/gettingstarted directory, so I am assuming that is only on CF10. Another directory that should be protected but it not mentioned on this exploit(but has been mentioned on others) is the CFIDE/componentutils directory.
If needed/desired, I can share some simple .htaccess samples for people that need to protect CF on an apache server... 



-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------

Reply via email to