For those who haven’t installed the latest hotfix for ColdFusion 9.0.1 from Adobe, here is the link:
http://kb2.adobe.com/cps/862/cpsid_86263.html
Archive for category Security
The ColdFusion directory traversal vulnerability has been classified by Adobe as important rather than critical, and I agree with A.P. (Adrian P. of GnuCitizen) that this is a mistake. Here’s why I think this is a big mistake … on top of the excellent analysis Adrian has already done (check his excellent post here) I think it’s relevent to do a little digging yourself to understand the full scope of the potential problem.
This post is worth reading.
Here is the link.
Adobe ColdFusion is a easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with “server contained installation” “like the earlier versions”, and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. Procheckup recommends however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have found the filtering can be bypassed.Versions tested and found vulnerable
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4(http://seclists.org/fulldisclosure/2010/Aug/att-127/PR10-07-nes.txt)
Hotfix available for ColdFusion (APSB10-18)
Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.
See http://www.adobe.com/support/security/bulletins/apsb10-18.html
Announcing a new Meetup for The Online ColdFusion Meetup!
Our 12pm (US ET) talk on Thursday June 17 will be “Introduction to FuseGuard and Web Application Firewalls”, with Pete Freitag. (Editorial note from Charlie: Please note from the description that this will be both a general introduction to web app firewalls as a class and to a particular one, Fuseguard, presented by the maker of FuseGuard.)
TOPIC DESCRIPTION: (provided by the speaker)
Web Application Firewalls are becoming a more and more a crucial part of web application architecture. Learn about the different types of Web Application Firewall’s, and why you might want to deploy one in front of your ColdFusion Application. We will then get into some of the specifics of FuseGuard, a web application firewall written purely in CFML.
Read the rest of this entry »
Some time ago I implemented a tool on my own site to throttle when any single IP address (bot, spider, hacker, user) made too many requests at once. I’ve mentioned it occasionally and people have often asked me to share it, which I’ve happily done by email. Today with another request I decided to post it and of course seek any feedback.
by Charles Arehart
URL: http://www.carehart.org/blog/client/index.cfm/2010/5/21/throttling_by_ip_address
The ColdFusion security hotfix in the bulletin APSB10-11 was causing problems with CF 8 64-bit.
It’s now fixed and you may download from adobe’s site.
http://kb2.adobe.com/cps/841/cpsid_84102.html
Adobe releases security update for ColdFusion 8 and 9.
ColdFusion : Security Bulletin APSB10-11
Please see comments
Adobe released a security update for Shockwave Player:
ColdFusion Security issue related to BlazeDS. Effects 7,8,and 9.
Visit Adobe’s bulletin page and follow the instructions to update your server.
National Cyber Alert System
Technical Cyber Security Alert TA09-343A
Adobe Flash Vulnerabilities Affect Flash Player and Adobe AIR
Systems Affected
- Adobe Flash Player 10.0.32.18 and earlier versions
- Adobe AIR 1.5.2 and earlier versions
Here is the link.
