Thanks Pete. Unfortunately, I'm dealing with a virtual directory issue and
ghetto architecture in IIS. I was able to figure out how to lock it down
using the firewall and http proxy rules.
On Thu, Aug 12, 2010 at 2:09 PM, Pete Freitag wrote:
>
> On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley
> w
On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley
wrote:
>
> Can someone pass me the Perl regex to allow the scripts folder? I'm just
> not getting it on my own. So the rule would match anything that contains
> /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive.
>
>
You can put the /CFIDE/scripts/ fold
Can someone pass me the Perl regex to allow the scripts folder? I'm just not
getting it on my own. So the rule would match anything that contains /CFIDE/
*except /CFIDE/SCRIPTS/ case insensitive.
Thanks in advance for saving me hours and hours of trial and error.
For the bare minimum restrict access to the following directories:-
/CFIDE/adminapi/
/CFIDE/administrator/
/CFIDE/componentutils/
/CFIDE/wizards/
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusi
I get 2,800,000,000 results.
>If you google for inurl:*.cfm
>
>You get 259 million results.
>
>
>andy
>
>> Richard Brain of ProCheckUp commented ââ¬ÅThis is a trivial attack which
>> can be performed easily by a competent engineer; ProCheckUp thanks
>> Adobe for consciously working with us t
> Is it sufficient to restrict access to /cfide/administrator?
You may also want to restrict access to /CFIDE/adminapi.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provide
Is it sufficient to restrict access to /cfide/administrator?
>The easiest solution is to restrict access to /CFIDE/, which
>unfortunately only a slight majority of Coldfusion sites have done.
~|
Order the Adobe Coldfusion An
Same here... restricted by internal IP address and username/password.
-Original Message-
From: Andrew Grosset [mailto:rushg...@yahoo.com]
Sent: Wednesday, August 11, 2010 2:08 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
phew!! for a moment I was
Just a reminder, we published a ColdFusion 9 Server Lockdown Guide back in
June. It provides details and instructions for securing the ColdFusion
Administrator. While the guide was written for ColdFusion 9 specifically,
most of the tips will apply to version 6+.
http://www.adobe.com/products/cold
Millions of sites applying one patch is better than Millions of sites
applying Millions of patches ^^
http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/
~|
Order the Adobe Coldfusion Anthology n
ColdFusion 7 is no longer supported by Adobe. Therefore only customers
who have "extended support", which you pay for, are entitled to a fix
for CF7.
But has already been pointed out, just restrict your /CFIDE.
Andy
On 11 August 2010 22:17, Gerald Guido wrote:
>
> Wait a second
>
> According t
:.:.:.:.:.:.:.:.:.
> Bobby Hartsfield
> http://acoderslife.com
>
> -Original Message-
> From: andy matthews [mailto:li...@commadelimited.com]
> Sent: Wednesday, August 11, 2010 10:38 PM
> To: cf-talk
> Subject: RE: Millions of Coldfusion sites need to apply patches
ttp://acoderslife.com
>
> -Original Message-
> From: andy matthews [mailto:li...@commadelimited.com]
> Sent: Wednesday, August 11, 2010 10:38 PM
> To: cf-talk
> Subject: RE: Millions of Coldfusion sites need to apply patches
>
>
> If you google for inurl:*.cfm
>
sion sites need to apply patches
If you google for inurl:*.cfm
You get 259 million results.
andy
-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com]
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
If you google for inurl:*.cfm
You get 259 million results.
andy
-Original Message-
From: Will Tomlinson [mailto:w...@wtomlinson.com]
Sent: Wednesday, August 11, 2010 9:12 PM
To: cf-talk
Subject: Re: Millions of Coldfusion sites need to apply patches
> Richard Brain of ProChec
> Richard Brain of ProCheckUp commented âThis is a trivial attack which
> can be performed easily by a competent engineer; ProCheckUp thanks
> Adobe for consciously working with us to produce a patch which fixes
> the traversal attack. By performing a simple Google search for
> inurl:index.c
> By golly it worked! Is the CFIDE/scripts directory the only one needed
> to be remapped?
If you're using old-style CFFORM stuff with Java applets, you will
need /CFIDE/classes as well.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software i
ISAPI rewrite (1st one)
http://www.robgonda.com/blog/files/robGonda/UserFiles/File/bprucell.2005.11.03.txt
This has lots of good stuff:
http://foundeo.com/security/presentations/hardening-coldfusion.pdf
Hardening servers is a blast! Everyone should do it.
:Den
--
Six is a number perfect in
By golly it worked! Is the CFIDE/scripts directory the only one needed
to be remapped?
Mark Mandel wrote:
> Just expose the scripts, you don't have to expose the entire admin.
>
> This could be done by simply copying them, or if you are on Apache, use
> aliases, or on Linux, symbolic links, IIS
Just expose the scripts, you don't have to expose the entire admin.
This could be done by simply copying them, or if you are on Apache, use
aliases, or on Linux, symbolic links, IIS Virtual directories (I think, I
don't really use IIS)...
Lots of options.
Mark
On Thu, Aug 12, 2010 at 8:52 AM,
If we restrict access to CFIDE, won't the tags that make use of
resources in this directory break?
For example, the CF ajax features reference the file
cfide/scripts/ajax/package/cfajax.js
If we block CFIDE, these would break. What would be the workaround?
Procheckup news wrote:
> Regrettabl
Whether to release the exploit or not is subject to a number of different
practical and moral considerations.
Firstly security testers and testing tools need to have functional and working
exploits to validate if their customerâs sites are secure; if exploits are
not released they cannot do
> If that is your intention, then don't release the 'sploit.
There are two problems with that:
1. Without an exploit for testing, how can you tell if you're secure?
Tools like Nessus, etc, rely on this for their functionality.
2. The exploit can presumably be derived by comparing the public pat
>>>My intention is not to spread FUD, but to ensure people are patched and
'ready' ASAP.
If that is your intention, then don't release the 'sploit.
G!
On Wed, Aug 11, 2010 at 5:21 PM, Procheckup news wrote:
>
> Regrettably Adobe has seen fit to release only patches for version 8 and
> version
Regrettably Adobe has seen fit to release only patches for version 8 and
version 9.
The easiest solution is to restrict access to /CFIDE/, which unfortunately only
a slight majority of Coldfusion sites have done.
The greatest problem is that the patches can be easily analysed and reverse
eng
While I'm glad that Adobe and Procheckup have worked this out, it shows yet
another reason why people should be making sure that their cfadmin is not
publicly accessible.
Making it only accessible from behind a firewall or vpn should be something
is something that I think people should be doing b
Wait a second
According the ProCheckUp site the vulnerability affects
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0,
9.0.1 and earlier versions fo
phew!! for a moment I was worried
No authentication is needed; all that is needed is that the admin console is
accessible to the Internet.
Apply patches as described below, or restrict access to /CIDE/administrator/ by
IP address or other similar controls.
this line is important:
res
28 matches
Mail list logo