ColdFusion 7 is no longer supported by Adobe. Therefore only customers
who have extended support, which you pay for, are entitled to a fix
for CF7.
But has already been pointed out, just restrict your /CFIDE.
Andy
On 11 August 2010 22:17, Gerald Guido gerald.gu...@gmail.com wrote:
Wait a
Millions of sites applying one patch is better than Millions of sites
applying Millions of patches ^^
http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/
~|
Order the Adobe Coldfusion Anthology
Just a reminder, we published a ColdFusion 9 Server Lockdown Guide back in
June. It provides details and instructions for securing the ColdFusion
Administrator. While the guide was written for ColdFusion 9 specifically,
most of the tips will apply to version 6+.
Same here... restricted by internal IP address and username/password.
-Original Message-
From: Andrew Grosset [mailto:rushg...@yahoo.com]
Sent: Wednesday, August 11, 2010 2:08 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
phew!! for a moment I
Is it sufficient to restrict access to /cfide/administrator?
The easiest solution is to restrict access to /CFIDE/, which
unfortunately only a slight majority of Coldfusion sites have done.
~|
Order the Adobe Coldfusion
Is it sufficient to restrict access to /cfide/administrator?
You may also want to restrict access to /CFIDE/adminapi.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and
I get 2,800,000,000 results.
If you google for inurl:*.cfm
You get 259 million results.
andy
Richard Brain of ProCheckUp commented ââ¬ÅThis is a trivial attack which
can be performed easily by a competent engineer; ProCheckUp thanks
Adobe for consciously working with us to produce a
For the bare minimum restrict access to the following directories:-
/CFIDE/adminapi/
/CFIDE/administrator/
/CFIDE/componentutils/
/CFIDE/wizards/
~|
Order the Adobe Coldfusion Anthology now!
Can someone pass me the Perl regex to allow the scripts folder? I'm just not
getting it on my own. So the rule would match anything that contains /CFIDE/
*except /CFIDE/SCRIPTS/ case insensitive.
Thanks in advance for saving me hours and hours of trial and error.
On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley
cascadefreehee...@gmail.comwrote:
Can someone pass me the Perl regex to allow the scripts folder? I'm just
not getting it on my own. So the rule would match anything that contains
/CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive.
You can put
Thanks Pete. Unfortunately, I'm dealing with a virtual directory issue and
ghetto architecture in IIS. I was able to figure out how to lock it down
using the firewall and http proxy rules.
On Thu, Aug 12, 2010 at 2:09 PM, Pete Freitag p...@foundeo.com wrote:
On Thu, Aug 12, 2010 at 4:21 PM,
phew!! for a moment I was worried
No authentication is needed; all that is needed is that the admin console is
accessible to the Internet.
Apply patches as described below, or restrict access to /CIDE/administrator/ by
IP address or other similar controls.
this line is important:
Wait a second
According the ProCheckUp site the vulnerability affects
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0,
9.0.1 and earlier versions
While I'm glad that Adobe and Procheckup have worked this out, it shows yet
another reason why people should be making sure that their cfadmin is not
publicly accessible.
Making it only accessible from behind a firewall or vpn should be something
is something that I think people should be doing
Regrettably Adobe has seen fit to release only patches for version 8 and
version 9.
The easiest solution is to restrict access to /CFIDE/, which unfortunately only
a slight majority of Coldfusion sites have done.
The greatest problem is that the patches can be easily analysed and reverse
My intention is not to spread FUD, but to ensure people are patched and
'ready' ASAP.
If that is your intention, then don't release the 'sploit.
G!
On Wed, Aug 11, 2010 at 5:21 PM, Procheckup news n...@procheckup.comwrote:
Regrettably Adobe has seen fit to release only patches for version
If that is your intention, then don't release the 'sploit.
There are two problems with that:
1. Without an exploit for testing, how can you tell if you're secure?
Tools like Nessus, etc, rely on this for their functionality.
2. The exploit can presumably be derived by comparing the public
Whether to release the exploit or not is subject to a number of different
practical and moral considerations.
Firstly security testers and testing tools need to have functional and working
exploits to validate if their customerâs sites are secure; if exploits are
not released they cannot do
If we restrict access to CFIDE, won't the tags that make use of
resources in this directory break?
For example, the CF ajax features reference the file
cfide/scripts/ajax/package/cfajax.js
If we block CFIDE, these would break. What would be the workaround?
Procheckup news wrote:
Just expose the scripts, you don't have to expose the entire admin.
This could be done by simply copying them, or if you are on Apache, use
aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I
don't really use IIS)...
Lots of options.
Mark
On Thu, Aug 12, 2010 at 8:52 AM,
By golly it worked! Is the CFIDE/scripts directory the only one needed
to be remapped?
Mark Mandel wrote:
Just expose the scripts, you don't have to expose the entire admin.
This could be done by simply copying them, or if you are on Apache, use
aliases, or on Linux, symbolic links, IIS
ISAPI rewrite (1st one)
http://www.robgonda.com/blog/files/robGonda/UserFiles/File/bprucell.2005.11.03.txt
This has lots of good stuff:
http://foundeo.com/security/presentations/hardening-coldfusion.pdf
Hardening servers is a blast! Everyone should do it.
:Den
--
Six is a number perfect
By golly it worked! Is the CFIDE/scripts directory the only one needed
to be remapped?
If you're using old-style CFFORM stuff with Java applets, you will
need /CFIDE/classes as well.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is
Richard Brain of ProCheckUp commented âThis is a trivial attack which
can be performed easily by a competent engineer; ProCheckUp thanks
Adobe for consciously working with us to produce a patch which fixes
the traversal attack. By performing a simple Google search for
inurl:index.cfm,
If you google for inurl:*.cfm
You get 259 million results.
andy
-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com]
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
Richard Brain of ProCheckUp
need to apply patches
If you google for inurl:*.cfm
You get 259 million results.
andy
-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com]
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
Richard Brain
-Original Message-
From: andy matthews [mailto:li...@commadelimited.com]
Sent: Wednesday, August 11, 2010 10:38 PM
To: cf-talk
Subject: RE: Millions of Coldfusion sites need to apply patches
If you google for inurl:*.cfm
You get 259 million results.
andy
-Original Message-
From
Hartsfield
http://acoderslife.com
-Original Message-
From: andy matthews [mailto:li...@commadelimited.com]
Sent: Wednesday, August 11, 2010 10:38 PM
To: cf-talk
Subject: RE: Millions of Coldfusion sites need to apply patches
If you google for inurl:*.cfm
You get 259 million results
28 matches
Mail list logo