Unofficial Updater 2

File Integrity Checking CFIDE

So with the most recent attack on ColdFusion (detailed by Charlie Arehart, Part #1, Part #2) there was a comment left on the post that got me a bit concerned where the comment said all you had to do is search for h.cfm to remove the file placed by the attacker. My experience has been if an attacker has had access to the server there is no absolute way of knowing what they might have done, even with good log reconstruction. As I noted in my comment in one instance I have previously encountered a situation where an attacker put a file called fck_dialog_common.cfm into CFIDE/scripts/ajax/FCKeditor/editor/dialog/common. At first glance of the directory it looks right, but inactuallity it a file that was buried and hidden so the attacker could come back through it instead of the original entry point. 

The only way to know is to have a way of doing file integrity checks against a good known source. The initial attack that was posted to the Adobe forum was found because an intrustion detection system (IDS) alerted the administrator that a file had been written to CFIDE that was called h.cfm.

Update to APSB12-06 and Unofficial Updater 2

So last Thursday (March 29th) Adobe published an update to APSB12-06 to address a defect introduced that prevented file uploads from working properly on ColdFusion 8.0.1, see the Adobe forum post for details. I have just updated Unofficial Updater 2 to apply the corrected files for ColdFusion 8.0.1.

So, good they fixed the issue, but my problem with Adobe lays with how they comunicate the change. I didn’t even know there was an update until I saw a post aggregated on from the Adobe ColdFusion Blog. I am signed up to Adobe’s Security Notification Service, but I have never seen a notification come in regarding ColdFusion. And when you go to the updated ColdFusion Security Hotfix APSB12-06 where is the information that it has been updated, at the BOTTOM of the page. But at least it was updated, that counts for something right?