Path Traversal Vulnerability Security Hotfix for ColdFusion Released
Adobe released a security hotfix for a path traversal vulnerability in ColdFusion administrator (CVE-2010-2861, APSB10-18). On the Adobe security bulletin page it lists affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. Take special notice of the and earlier versions, so if you are running CF7 you will quite possibly still be vulnerable to this.
This vulnerability allows an attacker to ready any file that ColdFusion has permission to read (on windows this should be limited to the same drive that contains the ColdFusion administrator).
Applying the hotfix is quite simple, just replace a couple files in your ColdFusion administrator directory. So go ahead and take care of this now, it should take less than 5 minutes of your time. Also while your at it, make sure you ColdFusion administrator is not publicly accessible. Add IP restrictions, or a web server password.
My ColdFusion Security Scanner, HackMyCF has been updated to detect this vulnerability. There are a few conditions however in which it can't detect it, so I encourage you to apply the hotfix regardless of what it says.
- HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011
- Recent ColdFusion Security Hotfix Updated Today - March 7, 2011
- Setup ColdFusion 9.0.1 Fully Patched - March 16, 2012
- Adobe eSeminar on FuseGuard - October 26, 2011
- You May Need to Reapply CF Security Hotfix CVE-2009-1877 - October 22, 2009
The Adobe instructions seem to indicate that a restart of the CF instances are required after copying the files, which for some would make this a bigger deal. Is that true or should I change that step to "Wipe hands on pants"? Thanks!
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained