Path Traversal Vulnerability Security Hotfix for ColdFusion Released

August 12, 2010
coldfusion

Adobe released a security hotfix for a path traversal vulnerability in ColdFusion administrator (CVE-2010-2861, APSB10-18). On the Adobe security bulletin page it lists affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. Take special notice of the and earlier versions, so if you are running CF7 you will quite possibly still be vulnerable to this.

This vulnerability allows an attacker to ready any file that ColdFusion has permission to read (on windows this should be limited to the same drive that contains the ColdFusion administrator).

Applying the hotfix is quite simple, just replace a couple files in your ColdFusion administrator directory. So go ahead and take care of this now, it should take less than 5 minutes of your time. Also while your at it, make sure you ColdFusion administrator is not publicly accessible. Add IP restrictions, or a web server password.

HackMyCF Updated

My ColdFusion Security Scanner, HackMyCF has been updated to detect this vulnerability. There are a few conditions however in which it can't detect it, so I encourage you to apply the hotfix regardless of what it says.


| Add Comment | add to del.icio.us | Tags: , , , ,

Related Entries

This entry was:

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 761/B6609EBAC2C7B0FEDA8AD1B2211AA3CB

Comments

On 08/12/2010 at 4:31:38 PM EDT Dave wrote:
1
Hey Pete, The Adobe instructions seem to indicate that a restart of the CF instances are required after copying the files, which for some would make this a bigger deal. Is that true or should I change that step to "Wipe hands on pants"? Thanks!

On 08/12/2010 at 4:36:47 PM EDT Pete Freitag wrote:
2
@Dave If you have trusted cache enabled, then you need to either restart or flush the cache. To the best of my knowledge restarting should not be required if trusted cache is not on.

On 08/17/2010 at 8:44:40 PM EDT non-tech wrote:
3
I get bogged down in these updates and fixes on the best of days. I'm a marketing guy, not a server admin... I have MX 7.0.2 and there's no patch available. Any suggestions? I don't keep the CFIDE stuff in the default directory, but is that enough?

On 08/17/2010 at 10:58:16 PM EDT Pete Freitag wrote:
4
@non-tech That's correct there was no patch issued for CF 7. If you have blocked /CFIDE then you should be protected here.

On 08/18/2010 at 2:30:16 PM EDT non-tech wrote:
5
I'm not sure if it's blocked... Hackmycf only came back with two warnings, one for headers disclosing versions and another for an x-powered-by header response, so maybe I'm locked down better than I feared. Still have those to fix though...

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002