Not surprising, yet another ColdFusion exploit
So there has been yet another 0-day found that can exploit ColdFusion by not having directories within CFIDE
properly secured as noted in APSA13-03 from Adobe. If you haven’t properly secured CFIDE
that is public facing, it is only a matter of time until it gets hacked. The previous two that were found in January and April of this year should have been motivation enough.
For those that are still running ColdFusion 8, my best advice to secure your ColdFusion install is to use the ColdFusion 9 Lockdown Guide. I have used it to secure ColdFusion 8 for several different clients. The only section in the lockdown guide that doesn’t apply to ColdFusion 8 is “Removing WSRP servlet mapping” since it was introduced in ColdFusion 9.
If you are attending cf.Objective() this year, there are several more security related talks. I am talking on Web Hacking Tools on Thursday (1st day) at 2:35pm. Among the demonstrations will be how ridiculously easy it is to get access to ColdFusion Administrator if you have it accessible and not recently patched. I also highly recommend seeing both of Pete Freitag’s sessions, Writing Secure CFML and Locking Down CF Servers.
Lastly, Adobe has announced a security patch to resolve APSA13-03 will be released on May 14th. Unofficial Updater 2 should be updated on May 15th while I’m heading to cf.Objective().