Re: Millions of Coldfusion sites need to apply patches
ColdFusion 7 is no longer supported by Adobe. Therefore only customers who have extended support, which you pay for, are entitled to a fix for CF7. But has already been pointed out, just restrict your /CFIDE. Andy On 11 August 2010 22:17, Gerald Guido gerald.gu...@gmail.com wrote: Wait a second According the ProCheckUp site the vulnerability affects ColdFusion MX7 7,0,0,91690 base patches ColdFusion MX8 8,0,1,195765 base patches ColdFusion MX8 8,0,1,195765 with Hotfix4 And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX Are there no patches for CF 7.01 or below? G? On Wed, Aug 11, 2010 at 4:50 PM, Procheckup news n...@procheckup.comwrote: Millions of users of Adobeç´ ColdFusion programming language are at risk of losing control of their applications and websites. Penetration testing company ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack; knowledge of the admin password is not needed. A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. Richard Brain of ProCheckUp commented å ¸his is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of  sites using Coldfusion. Procheckup has released an advisory relating to this flaw, though will not publish the exploit code for 7 days giving administrators time to apply the Adobe patches. Procheckup felt it unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches. The full details of the vulnerability can be found on www.procheckup.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336220 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Millions of sites applying one patch is better than Millions of sites applying Millions of patches ^^ http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Just a reminder, we published a ColdFusion 9 Server Lockdown Guide back in June. It provides details and instructions for securing the ColdFusion Administrator. While the guide was written for ColdFusion 9 specifically, most of the tips will apply to version 6+. http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf -Adam On Thu, Aug 12, 2010 at 11:05 AM, Dan Baughman dan.baugh...@gmail.comwrote: Millions of sites applying one patch is better than Millions of sites applying Millions of patches ^^ http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Millions of Coldfusion sites need to apply patches
Same here... restricted by internal IP address and username/password. -Original Message- From: Andrew Grosset [mailto:rushg...@yahoo.com] Sent: Wednesday, August 11, 2010 2:08 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches phew!! for a moment I was worried No authentication is needed; all that is needed is that the admin console is accessible to the Internet. Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls. this line is important: restrict access to /CIDE/administrator/ by IP address or other similar controls this should be mandatory irrespective of the patches applied (in my opinion). Millions of users of Adobeââ¬â¢s ColdFusion programming language are at risk of losing control of their applications and websites. The full details of the vulnerability can be found on www.procheckup. com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Is it sufficient to restrict access to /cfide/administrator? The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Is it sufficient to restrict access to /cfide/administrator? You may also want to restrict access to /CFIDE/adminapi. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
I get 2,800,000,000 results. If you google for inurl:*.cfm You get 259 million results. andy Richard Brain of ProCheckUp commented ââ¬ÅThis is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
For the bare minimum restrict access to the following directories:- /CFIDE/adminapi/ /CFIDE/administrator/ /CFIDE/componentutils/ /CFIDE/wizards/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. Thanks in advance for saving me hours and hours of trial and error. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley cascadefreehee...@gmail.comwrote: Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. You can put the /CFIDE/scripts/ folder anywhere you want, just put it somewhere (eg /cf-scripts/), and change the setting in ColdFusion administrator (Script Src on settings page). -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Thanks Pete. Unfortunately, I'm dealing with a virtual directory issue and ghetto architecture in IIS. I was able to figure out how to lock it down using the firewall and http proxy rules. On Thu, Aug 12, 2010 at 2:09 PM, Pete Freitag p...@foundeo.com wrote: On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley cascadefreehee...@gmail.comwrote: Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. You can put the /CFIDE/scripts/ folder anywhere you want, just put it somewhere (eg /cf-scripts/), and change the setting in ColdFusion administrator (Script Src on settings page). -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336253 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
phew!! for a moment I was worried No authentication is needed; all that is needed is that the admin console is accessible to the Internet. Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls. this line is important: restrict access to /CIDE/administrator/ by IP address or other similar controls this should be mandatory irrespective of the patches applied (in my opinion). Millions of users of Adobeâs ColdFusion programming language are at risk of losing control of their applications and websites. The full details of the vulnerability can be found on www.procheckup. com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336196 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Wait a second According the ProCheckUp site the vulnerability affects ColdFusion MX7 7,0,0,91690 base patches ColdFusion MX8 8,0,1,195765 base patches ColdFusion MX8 8,0,1,195765 with Hotfix4 And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX Are there no patches for CF 7.01 or below? G? On Wed, Aug 11, 2010 at 4:50 PM, Procheckup news n...@procheckup.comwrote: Millions of users of Adobes ColdFusion programming language are at risk of losing control of their applications and websites. Penetration testing company ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack; knowledge of the admin password is not needed. A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. Richard Brain of ProCheckUp commented This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Procheckup has released an advisory relating to this flaw, though will not publish the exploit code for 7 days giving administrators time to apply the Adobe patches. Procheckup felt it unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches. The full details of the vulnerability can be found on www.procheckup.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
While I'm glad that Adobe and Procheckup have worked this out, it shows yet another reason why people should be making sure that their cfadmin is not publicly accessible. Making it only accessible from behind a firewall or vpn should be something is something that I think people should be doing by default. Regardless, thanks for the hard work from Adobe and Procheckup. Mark Sent from my mobile device On 12 Aug 2010 06:57, Procheckup news n...@procheckup.com wrote: Millions of users of Adobes ColdFusion programming language are at risk of losing control of their applications and websites. Penetration testing company ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack; knowledge of the admin password is not needed. A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. Richard Brain of ProCheckUp commented This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Procheckup has released an advisory relating to this flaw, though will not publish the exploit code for 7 days giving administrators time to apply the Adobe patches. Procheckup felt it unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches. The full details of the vulnerability can be found on www.procheckup.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Regrettably Adobe has seen fit to release only patches for version 8 and version 9. The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. The greatest problem is that the patches can be easily analysed and reverse engineered to identify the exploit, an experienced person can do this in 4-5 hours. My intention is not to spread FUD, but to ensure people are patched and 'ready' ASAP. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336199 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
My intention is not to spread FUD, but to ensure people are patched and 'ready' ASAP. If that is your intention, then don't release the 'sploit. G! On Wed, Aug 11, 2010 at 5:21 PM, Procheckup news n...@procheckup.comwrote: Regrettably Adobe has seen fit to release only patches for version 8 and version 9. The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. The greatest problem is that the patches can be easily analysed and reverse engineered to identify the exploit, an experienced person can do this in 4-5 hours. My intention is not to spread FUD, but to ensure people are patched and 'ready' ASAP. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336200 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
If that is your intention, then don't release the 'sploit. There are two problems with that: 1. Without an exploit for testing, how can you tell if you're secure? Tools like Nessus, etc, rely on this for their functionality. 2. The exploit can presumably be derived by comparing the public patch against the pre-patched files. We're just talking about CFML here, so anyone can decrypt that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336201 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Whether to release the exploit or not is subject to a number of different practical and moral considerations. Firstly security testers and testing tools need to have functional and working exploits to validate if their customerâs sites are secure; if exploits are not released they cannot do their job. Every time a security tester runs a scan the exploit is publically published, so selective disclosure does not work. Secondly the exploit contained within Adobeâs patches will be rapidly reverse engineered by governmental Infosec warfare teams, along with various commercially profitable underground organisations. Our intent by using publicity is too minimise the impact of this. ProCheckUp have had a number of discussions regarding waiting a longer time say one month to release the exploit, though this was determined to be unfeasible due to ease of determining the exploit and using it. It was felt that it is better to give ColdFusion administratorâs a tight deadline to secure their servers, rather than a relaxed one and having servers subjected to attack by the above. Personally I know that many prefer that exploits are not published and I understand this perspective; though my perspective is different coming from practical experience of performing forensics on customer sites after they have been âhackedâ using unpublished or zero day exploits. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
If we restrict access to CFIDE, won't the tags that make use of resources in this directory break? For example, the CF ajax features reference the file cfide/scripts/ajax/package/cfajax.js If we block CFIDE, these would break. What would be the workaround? Procheckup news wrote: Regrettably Adobe has seen fit to release only patches for version 8 and version 9. The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Just expose the scripts, you don't have to expose the entire admin. This could be done by simply copying them, or if you are on Apache, use aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I don't really use IIS)... Lots of options. Mark On Thu, Aug 12, 2010 at 8:52 AM, rex li...@pgrworld.com wrote: If we restrict access to CFIDE, won't the tags that make use of resources in this directory break? For example, the CF ajax features reference the file cfide/scripts/ajax/package/cfajax.js If we block CFIDE, these would break. What would be the workaround? Procheckup news wrote: Regrettably Adobe has seen fit to release only patches for version 8 and version 9. The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
By golly it worked! Is the CFIDE/scripts directory the only one needed to be remapped? Mark Mandel wrote: Just expose the scripts, you don't have to expose the entire admin. This could be done by simply copying them, or if you are on Apache, use aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I don't really use IIS)... Lots of options. Mark On Thu, Aug 12, 2010 at 8:52 AM, rex li...@pgrworld.com wrote: If we restrict access to CFIDE, won't the tags that make use of resources in this directory break? For example, the CF ajax features reference the file cfide/scripts/ajax/package/cfajax.js If we block CFIDE, these would break. What would be the workaround? Procheckup news wrote: Regrettably Adobe has seen fit to release only patches for version 8 and version 9. The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
ISAPI rewrite (1st one) http://www.robgonda.com/blog/files/robGonda/UserFiles/File/bprucell.2005.11.03.txt This has lots of good stuff: http://foundeo.com/security/presentations/hardening-coldfusion.pdf Hardening servers is a blast! Everyone should do it. :Den -- Six is a number perfect in itself, and not because God created the world in six days; rather the contrary is true. God created the world in six days because this number is perfect, and it would remain perfect, even if the work of the six days did not exist. St. Augustine ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
By golly it worked! Is the CFIDE/scripts directory the only one needed to be remapped? If you're using old-style CFFORM stuff with Java applets, you will need /CFIDE/classes as well. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336213 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Richard Brain of ProCheckUp commented âThis is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336214 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Millions of Coldfusion sites need to apply patches
If you google for inurl:*.cfm You get 259 million results. andy -Original Message- From: Will Tomlinson [mailto:w...@wtomlinson.com] Sent: Wednesday, August 11, 2010 9:12 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches Richard Brain of ProCheckUp commented ââ¬ÅThis is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Millions of Coldfusion sites need to apply patches
Says About 2,600,000,000 results for me. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: andy matthews [mailto:li...@commadelimited.com] Sent: Wednesday, August 11, 2010 10:38 PM To: cf-talk Subject: RE: Millions of Coldfusion sites need to apply patches If you google for inurl:*.cfm You get 259 million results. andy -Original Message- From: Will Tomlinson [mailto:w...@wtomlinson.com] Sent: Wednesday, August 11, 2010 9:12 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches Richard Brain of ProCheckUp commented ???This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336217 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Having worked with Google's search API, those numbers do tend to be estimates ;o) Mark On Thu, Aug 12, 2010 at 12:44 PM, Bobby Hartsfield bo...@acoderslife.comwrote: Says About 2,600,000,000 results for me. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: andy matthews [mailto:li...@commadelimited.com] Sent: Wednesday, August 11, 2010 10:38 PM To: cf-talk Subject: RE: Millions of Coldfusion sites need to apply patches If you google for inurl:*.cfm You get 259 million results. andy -Original Message- From: Will Tomlinson [mailto:w...@wtomlinson.com] Sent: Wednesday, August 11, 2010 9:12 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches Richard Brain of ProCheckUp commented ???This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336218 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Says About 2,600,000,000 results for me A lot of those are probably mine. I stopped taking Ritalin a few years back. ;) G! On Wed, Aug 11, 2010 at 10:44 PM, Bobby Hartsfield bo...@acoderslife.comwrote: Says About 2,600,000,000 results for me. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: andy matthews [mailto:li...@commadelimited.com] Sent: Wednesday, August 11, 2010 10:38 PM To: cf-talk Subject: RE: Millions of Coldfusion sites need to apply patches If you google for inurl:*.cfm You get 259 million results. andy -Original Message- From: Will Tomlinson [mailto:w...@wtomlinson.com] Sent: Wednesday, August 11, 2010 9:12 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches Richard Brain of ProCheckUp commented ???This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336219 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
