Determining Which Cumulative Hotfixes are Installed on ColdFusion

September 20, 2011
coldfusion

It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which cumulative (non security) hotfixes you have installed, and which ones you don't.

As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix 1 for 9.0.1 but not cumulative hotfix 2 looks like in a HackMyCF subscription:

showing cumulative hotfixes installed in ColdFusion

The current known limitations of this feature are:

  • Not enabled for ColdFusion 8.0.0 or below at this time (does work for 8.0.1 however).
  • Requires a paid subscription and the probe installed (not possible on free version).

Also announcing the HackMyCF Probe

The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in their account. Then when we scan your server we also connect to this probe.cfm, which allows us to get information such as the exact ColdFusion version number (though we can usually determine this with out the probe), the JVM version, which hotfix jar files have been installed, and it also allows us to get a MD5 sum of certain files.

The addition of the probe allows us to find more potential vulnerabilities on your server, for example we can determine if ColdFusion is running as the SYSTEM, we can determine if you are running a version of the JVM that is selectable to a easy to execute denial of service (we could detect this without the probe, but since that would crash your server, we need to use the probe to detect it).

We launched the probe feature in HackMyCF several months ago, however it has been a somewhat soft launch (we haven't been promoting it too much yet). It has been in use now by lots of customers and is pretty solid (we haven't to update the probe.cfm file, even this latest feature uses existing functionality).



Related Entries

This entry was:

Comments

Keep up the good work. Impressive stuff!
Excellent blog! Do you have any tips for aspiring writers? I'm planning to start my own website soon but I'm a little lost on everything. Would you recommend starting with a free platform like Wordpress or go for a paid option? There are so many choices out there that I'm completely overwhelmed .. Any tips? Many thanks!

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?