Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Tony Bentley

Thanks Pete. Unfortunately, I'm dealing with a virtual directory issue and
ghetto architecture in IIS. I was able to figure out how to lock it down
using the firewall and http proxy rules.

On Thu, Aug 12, 2010 at 2:09 PM, Pete Freitag  wrote:

>
> On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley
> wrote:
>
> >
> > Can someone pass me the Perl regex to allow the scripts folder? I'm just
> > not getting it on my own. So the rule would match anything that contains
> > /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive.
> >
> >
> You can put the /CFIDE/scripts/ folder anywhere you want, just put it
> somewhere (eg /cf-scripts/), and change the setting in ColdFusion
> administrator ("Script Src" on settings page).
>
> --
> Pete Freitag
> http://foundeo.com/ - ColdFusion Consulting & Products
> http://petefreitag.com/ - My Blog
> http://hackmycf.com - Is your ColdFusion Server Secure?
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336253
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Pete Freitag

On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley
wrote:

>
> Can someone pass me the Perl regex to allow the scripts folder? I'm just
> not getting it on my own. So the rule would match anything that contains
> /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive.
>
>
You can put the /CFIDE/scripts/ folder anywhere you want, just put it
somewhere (eg /cf-scripts/), and change the setting in ColdFusion
administrator ("Script Src" on settings page).

--
Pete Freitag
http://foundeo.com/ - ColdFusion Consulting & Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336252
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Tony Bentley

Can someone pass me the Perl regex to allow the scripts folder? I'm just not 
getting it on my own. So the rule would match anything that contains /CFIDE/ 
*except /CFIDE/SCRIPTS/ case insensitive. 

Thanks in advance for saving me hours and hours of trial and error. 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336251
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Procheckup news

For the bare minimum restrict access to the following directories:-

/CFIDE/adminapi/
/CFIDE/administrator/
/CFIDE/componentutils/
/CFIDE/wizards/


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336248
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Larry Lyons

I get 2,800,000,000 results.

>If you google for inurl:*.cfm
>
>You get 259 million results.
>
>
>andy
>
>> Richard Brain of ProCheckUp commented “This is a trivial attack which 
>> can be performed easily by a competent engineer; ProCheckUp thanks 
>> Adobe for consciously working with us to produce a patch which fixes 
>> the traversal attack. By performing a simple Google search for 
>> inurl:index.cfm, it was found that over 80 million examples of  sites 
>> using Coldfusion.
>> 
>
>Gee, I thought ColdFusion was dead. Guess not
>
>Will

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336247
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Dave Watts

> Is it sufficient to restrict access to /cfide/administrator?

You may also want to restrict access to /CFIDE/adminapi.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336240
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Al Musella, DPM

Is it sufficient to restrict access to /cfide/administrator?


>The easiest solution is to restrict access to /CFIDE/, which 
>unfortunately only a slight majority of Coldfusion sites have done.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336237
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


RE: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Jacob

Same here... restricted by internal IP address and username/password.

-Original Message-
From: Andrew Grosset [mailto:rushg...@yahoo.com] 
Sent: Wednesday, August 11, 2010 2:08 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches


phew!! for a moment I was worried

No authentication is needed; all that is needed is that the admin console is 
accessible to the Internet. 

Apply patches as described below, or restrict access to /CIDE/administrator/ by 
IP address or other similar controls.

this line is important:
restrict access to /CIDE/administrator/ by IP address or other similar controls

this should be mandatory irrespective of the patches applied (in my opinion).


> Millions of users of Adobe’s ColdFusion programming language are at 
> risk of losing control of their applications and websites.

> The full details of the vulnerability can be found on www.procheckup.
> com




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336235
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Adrocknaphobia

Just a reminder, we published a ColdFusion 9 Server Lockdown Guide back in
June. It provides details and instructions for securing the ColdFusion
Administrator. While the guide was written for ColdFusion 9 specifically,
most of the tips will apply to version 6+.

http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf


-Adam

On Thu, Aug 12, 2010 at 11:05 AM, Dan Baughman wrote:

>
> Millions of sites applying one patch is better than Millions of sites
> applying Millions of patches  ^^
>
>
>
> http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336229
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Dan Baughman

Millions of sites applying one patch is better than Millions of sites
applying Millions of patches  ^^


http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336226
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-12 Thread Andy Allan

ColdFusion 7 is no longer supported by Adobe. Therefore only customers
who have "extended support", which you pay for, are entitled to a fix
for CF7.

But has already been pointed out, just restrict your /CFIDE.

Andy

On 11 August 2010 22:17, Gerald Guido  wrote:
>
> Wait a second
>
> According the ProCheckUp site the vulnerability affects
>
> ColdFusion MX7 7,0,0,91690 base patches
> ColdFusion MX8 8,0,1,195765 base patches
> ColdFusion MX8 8,0,1,195765 with Hotfix4
>
> And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0,
> 9.0.1 and earlier versions for Windows, Macintosh and UNIX
>
> Are there no patches for CF 7.01 or below?
>
> G?
>
> On Wed, Aug 11, 2010 at 4:50 PM, Procheckup news wrote:
>
>>
>> Millions of users of Adobe痴 ColdFusion programming language are at risk of
>> losing control of their applications and websites.
>>
>> Penetration testing company ProCheckUp were able to access every file
>> including username and passwords from a server running ColdFusion. This was
>> completed through a directory traversal and file retrieval flaw found within
>> ColdFusion administrator. A standard web browser was used to carry out the
>> attack; knowledge of the admin password is not needed.
>>
>> A competent attacker would be able to steal files from the server and gain
>> access to secure areas as well and eventually modify content or shut down
>> the website or application.
>>
>> Richard Brain of ProCheckUp commented 典his is a trivial attack which can
>> be performed easily by a competent engineer; ProCheckUp thanks Adobe for
>> consciously working with us to produce a patch which fixes the traversal
>> attack. By performing a simple Google search for inurl:index.cfm, it was
>> found that over 80 million examples of  sites using Coldfusion.
>>
>> Procheckup has released an advisory relating to this flaw, though will not
>> publish the exploit code for 7 days giving administrators time to apply the
>> Adobe patches. Procheckup felt it unwise to delay releasing the exploit any
>> longer, as the exploit is trivial and can be easily determined by analysing
>> the patches.
>>
>> The full details of the vulnerability can be found on www.procheckup.com
>>
>>
>>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336220
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Gerald Guido

>>Says "About 2,600,000,000 results" for me

A lot of those are probably mine. I stopped taking Ritalin a few years back.
;)

G!

On Wed, Aug 11, 2010 at 10:44 PM, Bobby Hartsfield wrote:

>
> Says "About 2,600,000,000 results" for me.
>
>
>
> .:.:.:.:.:.:.:.:.:.:.:.:.:.
> Bobby Hartsfield
> http://acoderslife.com
>
> -Original Message-
> From: andy matthews [mailto:li...@commadelimited.com]
> Sent: Wednesday, August 11, 2010 10:38 PM
> To: cf-talk
> Subject: RE: Millions of Coldfusion sites need to apply patches
>
>
> If you google for inurl:*.cfm
>
> You get 259 million results.
>
>
> andy
>
> -Original Message-
> From: Will Tomlinson [mailto:w...@wtomlinson.com]
> Sent: Wednesday, August 11, 2010 9:12 PM
> To: cf-talk
> Subject: Re: Millions of Coldfusion sites need to apply patches
>
>
> > Richard Brain of ProCheckUp commented ???This is a trivial attack
> which
> > can be performed easily by a competent engineer; ProCheckUp thanks
> > Adobe for consciously working with us to produce a patch which fixes
> > the traversal attack. By performing a simple Google search for
> > inurl:index.cfm, it was found that over 80 million examples of  sites
> > using Coldfusion.
> >
>
> Gee, I thought ColdFusion was dead. Guess not
>
> Will
>
>
>
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336219
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Mark Mandel

Having worked with Google's search API, those numbers do tend to be
estimates ;o)

Mark

On Thu, Aug 12, 2010 at 12:44 PM, Bobby Hartsfield wrote:

>
> Says "About 2,600,000,000 results" for me.
>
>
>
> .:.:.:.:.:.:.:.:.:.:.:.:.:.
> Bobby Hartsfield
> http://acoderslife.com
>
> -Original Message-
> From: andy matthews [mailto:li...@commadelimited.com]
> Sent: Wednesday, August 11, 2010 10:38 PM
> To: cf-talk
> Subject: RE: Millions of Coldfusion sites need to apply patches
>
>
> If you google for inurl:*.cfm
>
> You get 259 million results.
>
>
> andy
>
> -Original Message-
> From: Will Tomlinson [mailto:w...@wtomlinson.com]
> Sent: Wednesday, August 11, 2010 9:12 PM
> To: cf-talk
> Subject: Re: Millions of Coldfusion sites need to apply patches
>
>
> > Richard Brain of ProCheckUp commented ???This is a trivial attack
> which
> > can be performed easily by a competent engineer; ProCheckUp thanks
> > Adobe for consciously working with us to produce a patch which fixes
> > the traversal attack. By performing a simple Google search for
> > inurl:index.cfm, it was found that over 80 million examples of  sites
> > using Coldfusion.
> >
>
> Gee, I thought ColdFusion was dead. Guess not
>
> Will
>
>
>
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336218
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


RE: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Bobby Hartsfield

Says "About 2,600,000,000 results" for me.

 
 
.:.:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
 
-Original Message-
From: andy matthews [mailto:li...@commadelimited.com] 
Sent: Wednesday, August 11, 2010 10:38 PM
To: cf-talk
Subject: RE: Millions of Coldfusion sites need to apply patches


If you google for inurl:*.cfm

You get 259 million results.


andy

-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com] 
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches


> Richard Brain of ProCheckUp commented ???This is a trivial attack
which 
> can be performed easily by a competent engineer; ProCheckUp thanks 
> Adobe for consciously working with us to produce a patch which fixes 
> the traversal attack. By performing a simple Google search for 
> inurl:index.cfm, it was found that over 80 million examples of  sites 
> using Coldfusion.
> 

Gee, I thought ColdFusion was dead. Guess not

Will





~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336217
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


RE: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread andy matthews

If you google for inurl:*.cfm

You get 259 million results.


andy

-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com] 
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches


> Richard Brain of ProCheckUp commented “This is a trivial attack which 
> can be performed easily by a competent engineer; ProCheckUp thanks 
> Adobe for consciously working with us to produce a patch which fixes 
> the traversal attack. By performing a simple Google search for 
> inurl:index.cfm, it was found that over 80 million examples of  sites 
> using Coldfusion.
> 

Gee, I thought ColdFusion was dead. Guess not

Will



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336216
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Will Tomlinson

> Richard Brain of ProCheckUp commented “This is a trivial attack which 
> can be performed easily by a competent engineer; ProCheckUp thanks 
> Adobe for consciously working with us to produce a patch which fixes 
> the traversal attack. By performing a simple Google search for 
> inurl:index.cfm, it was found that over 80 million examples of  sites 
> using Coldfusion.
> 

Gee, I thought ColdFusion was dead. Guess not

Will

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336214
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Dave Watts

> By golly it worked!  Is the CFIDE/scripts directory the only one needed
> to be remapped?

If you're using old-style CFFORM stuff with Java applets, you will
need /CFIDE/classes as well.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336213
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread denstar

ISAPI rewrite (1st one)

http://www.robgonda.com/blog/files/robGonda/UserFiles/File/bprucell.2005.11.03.txt

This has lots of good stuff:

http://foundeo.com/security/presentations/hardening-coldfusion.pdf

Hardening servers is a blast!  Everyone should do it.

:Den

-- 
Six is a number perfect in itself, and not because God created the
world in six days; rather the contrary is true. God created the world
in six days because this number is perfect, and it would remain
perfect, even if the work of the six days did not exist.
St. Augustine

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336209
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread rex

By golly it worked!  Is the CFIDE/scripts directory the only one needed 
to be remapped?

Mark Mandel wrote:
> Just expose the scripts, you don't have to expose the entire admin.
>
> This could be done by simply copying them, or if you are on Apache, use
> aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I
> don't really use IIS)...
>
> Lots of options.
>
> Mark
>
> On Thu, Aug 12, 2010 at 8:52 AM, rex  wrote:
>
>   
>> If we restrict access to CFIDE, won't the tags that make use of
>> resources in this directory break?
>>
>> For example, the CF ajax features reference the file
>> cfide/scripts/ajax/package/cfajax.js
>>
>> If we block CFIDE, these would break.  What would be the workaround?
>>
>> Procheckup news wrote:
>> 
>>> Regrettably Adobe has seen fit to release only patches for version 8 and
>>>   
>> version 9.
>> 
>>> The easiest solution is to restrict access to /CFIDE/, which
>>>   
>> unfortunately only a slight majority of Coldfusion sites have done.
>> 
>>>   
>> 
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336206
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Mark Mandel

Just expose the scripts, you don't have to expose the entire admin.

This could be done by simply copying them, or if you are on Apache, use
aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I
don't really use IIS)...

Lots of options.

Mark

On Thu, Aug 12, 2010 at 8:52 AM, rex  wrote:

>
> If we restrict access to CFIDE, won't the tags that make use of
> resources in this directory break?
>
> For example, the CF ajax features reference the file
> cfide/scripts/ajax/package/cfajax.js
>
> If we block CFIDE, these would break.  What would be the workaround?
>
> Procheckup news wrote:
> > Regrettably Adobe has seen fit to release only patches for version 8 and
> version 9.
> >
> > The easiest solution is to restrict access to /CFIDE/, which
> unfortunately only a slight majority of Coldfusion sites have done.
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336205
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread rex

If we restrict access to CFIDE, won't the tags that make use of 
resources in this directory break?

For example, the CF ajax features reference the file 
cfide/scripts/ajax/package/cfajax.js

If we block CFIDE, these would break.  What would be the workaround?

Procheckup news wrote:
> Regrettably Adobe has seen fit to release only patches for version 8 and 
> version 9.
>
> The easiest solution is to restrict access to /CFIDE/, which unfortunately 
> only a slight majority of Coldfusion sites have done. 
>
>   

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336204
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Procheckup news

Whether to release the exploit or not is subject to a number of different 
practical and moral considerations.

Firstly security testers and testing tools need to have functional and working 
exploits to validate if their customer’s sites are secure; if exploits are 
not released they cannot do their job. Every time a security tester runs a scan 
the exploit is publically published, so selective disclosure does not work.

Secondly the exploit contained within Adobe’s patches will be rapidly reverse 
engineered by governmental Infosec warfare teams, along with various 
commercially profitable underground organisations.  Our intent by using 
publicity is too minimise the impact of this.

ProCheckUp have had a number of discussions regarding waiting a longer time say 
one month to release the exploit, though this was determined to be unfeasible 
due to ease of determining the exploit and using it. It was felt that it is 
better to give ColdFusion administrator’s a tight deadline to secure their 
servers, rather than a relaxed one and having servers subjected to attack by 
the above. 

Personally I know that many prefer that exploits are not published and I 
understand this perspective; though my perspective is different coming from 
practical experience of performing forensics on customer sites after they have 
been ‘hacked’ using unpublished or zero day exploits. 


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336203
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Dave Watts

> If that is your intention, then don't release the 'sploit.

There are two problems with that:

1. Without an exploit for testing, how can you tell if you're secure?
Tools like Nessus, etc, rely on this for their functionality.

2. The exploit can presumably be derived by comparing the public patch
against the pre-patched files. We're just talking about CFML here, so
anyone can decrypt that.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336201
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Gerald Guido

>>>My intention is not to spread FUD, but to ensure people are patched and
'ready' ASAP.

If that is your intention, then don't release the 'sploit.

G!


On Wed, Aug 11, 2010 at 5:21 PM, Procheckup news wrote:

>
> Regrettably Adobe has seen fit to release only patches for version 8 and
> version 9.
>
> The easiest solution is to restrict access to /CFIDE/, which unfortunately
> only a slight majority of Coldfusion sites have done.
>
> The greatest problem is that the patches can be easily analysed and reverse
> engineered to identify the exploit, an experienced person can do this in 4-5
> hours.
>
> My intention is not to spread FUD, but to ensure people are patched and
> 'ready' ASAP.
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336200
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Procheckup news

Regrettably Adobe has seen fit to release only patches for version 8 and 
version 9.

The easiest solution is to restrict access to /CFIDE/, which unfortunately only 
a slight majority of Coldfusion sites have done. 

The greatest problem is that the patches can be easily analysed and reverse 
engineered to identify the exploit, an experienced person can do this in 4-5 
hours.

My intention is not to spread FUD, but to ensure people are patched and 'ready' 
ASAP.


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336199
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Mark Mandel

While I'm glad that Adobe and Procheckup have worked this out, it shows yet
another reason why people should be making sure that their cfadmin is not
publicly accessible.

Making it only accessible from behind a firewall or vpn should be something
is something that I think people should be doing by default.

Regardless, thanks for the hard work from Adobe and Procheckup.

Mark

Sent from my mobile device

On 12 Aug 2010 06:57, "Procheckup news"  wrote:
>
> Millions of users of Adobe’s ColdFusion programming language are at risk
of losing control of their applications and websites.
>
> Penetration testing company ProCheckUp were able to access every file
including username and passwords from a server running ColdFusion. This was
completed through a directory traversal and file retrieval flaw found within
ColdFusion administrator. A standard web browser was used to carry out the
attack; knowledge of the admin password is not needed.
>
> A competent attacker would be able to steal files from the server and gain
access to secure areas as well and eventually modify content or shut down
the website or application.
>
> Richard Brain of ProCheckUp commented “This is a trivial attack which can
be performed easily by a competent engineer; ProCheckUp thanks Adobe for
consciously working with us to produce a patch which fixes the traversal
attack. By performing a simple Google search for inurl:index.cfm, it was
found that over 80 million examples of sites using Coldfusion.
>
> Procheckup has released an advisory relating to this flaw, though will not
publish the exploit code for 7 days giving administrators time to apply the
Adobe patches. Procheckup felt it unwise to delay releasing the exploit any
longer, as the exploit is trivial and can be easily determined by analysing
the patches.
>
> The full details of the vulnerability can be found on www.procheckup.com
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336198
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Gerald Guido

Wait a second

According the ProCheckUp site the vulnerability affects

ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4

And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0,
9.0.1 and earlier versions for Windows, Macintosh and UNIX

Are there no patches for CF 7.01 or below?

G?

On Wed, Aug 11, 2010 at 4:50 PM, Procheckup news wrote:

>
> Millions of users of Adobe’s ColdFusion programming language are at risk of
> losing control of their applications and websites.
>
> Penetration testing company ProCheckUp were able to access every file
> including username and passwords from a server running ColdFusion. This was
> completed through a directory traversal and file retrieval flaw found within
> ColdFusion administrator. A standard web browser was used to carry out the
> attack; knowledge of the admin password is not needed.
>
> A competent attacker would be able to steal files from the server and gain
> access to secure areas as well and eventually modify content or shut down
> the website or application.
>
> Richard Brain of ProCheckUp commented “This is a trivial attack which can
> be performed easily by a competent engineer; ProCheckUp thanks Adobe for
> consciously working with us to produce a patch which fixes the traversal
> attack. By performing a simple Google search for inurl:index.cfm, it was
> found that over 80 million examples of  sites using Coldfusion.
>
> Procheckup has released an advisory relating to this flaw, though will not
> publish the exploit code for 7 days giving administrators time to apply the
> Adobe patches. Procheckup felt it unwise to delay releasing the exploit any
> longer, as the exploit is trivial and can be easily determined by analysing
> the patches.
>
> The full details of the vulnerability can be found on www.procheckup.com
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336197
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Millions of Coldfusion sites need to apply patches

2010-08-11 Thread Andrew Grosset

phew!! for a moment I was worried

No authentication is needed; all that is needed is that the admin console is 
accessible to the Internet. 

Apply patches as described below, or restrict access to /CIDE/administrator/ by 
IP address or other similar controls.

this line is important:
restrict access to /CIDE/administrator/ by IP address or other similar controls

this should be mandatory irrespective of the patches applied (in my opinion).


> Millions of users of Adobe’s ColdFusion programming language are at 
> risk of losing control of their applications and websites.

> The full details of the vulnerability can be found on www.procheckup.
> com 


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336196
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm