Archive for category Security

Cumulative Hotfix 1 (CHF1) for ColdFusion 9.0.1


For those who haven’t installed the latest hotfix for ColdFusion 9.0.1 from Adobe, here is the link:

http://kb2.adobe.com/cps/862/cpsid_86263.html

Bookmark and Share

Tags: , , ,

Adobe ColdFusion’s Directory Traversal Disaster


The ColdFusion directory traversal vulnerability has been classified by Adobe as important rather than critical, and I agree with A.P. (Adrian P. of GnuCitizen) that this is a mistake.  Here’s why I think this is a big mistake … on top of the excellent analysis Adrian has already done (check his excellent post here) I think it’s relevent to do a little digging yourself to understand the full scope of the potential problem.

This post is worth reading.

Here is the link.

Bookmark and Share

Tags: , , ,

Unauthenticated File Retrieval (traversal) within ColdFusion Administration Console


Adobe ColdFusion is a easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with “server contained installation” “like the earlier versions”, and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. Procheckup recommends however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have found the filtering can be bypassed.

Versions tested and found vulnerable
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4

(http://seclists.org/fulldisclosure/2010/Aug/att-127/PR10-07-nes.txt)

Hotfix available for ColdFusion  (APSB10-18)

Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.

See http://www.adobe.com/support/security/bulletins/apsb10-18.html

Bookmark and Share

Online ColdFusion MeetUp – Introduction to FuseGuard and Web Application Firewalls


Announcing a new Meetup for The Online ColdFusion Meetup!

Our 12pm (US ET) talk on Thursday June 17 will be “Introduction to FuseGuard and Web Application Firewalls”, with Pete Freitag. (Editorial note from Charlie: Please note from the description that this will be both a general introduction to web app firewalls as a class and to a particular one, Fuseguard, presented by the maker of FuseGuard.)

TOPIC DESCRIPTION: (provided by the speaker)

Web Application Firewalls are becoming a more and more a crucial part of web application architecture. Learn about the different types of Web Application Firewall’s, and why you might want to deploy one in front of your ColdFusion Application. We will then get into some of the specifics of FuseGuard, a web application firewall written purely in CFML.
Read the rest of this entry »

Bookmark and Share

Tags: , , , ,

A tool to throttle rapid requests to your CF server from one IP address


Some time ago I implemented a tool on my own site to throttle when any single IP address (bot, spider, hacker, user) made too many requests at once. I’ve mentioned it occasionally and people have often asked me to share it, which I’ve happily done by email. Today with another request I decided to post it and of course seek any feedback.

by Charles Arehart

URL: http://www.carehart.org/blog/client/index.cfm/2010/5/21/throttling_by_ip_address

Bookmark and Share

Tags: , , ,

ColdFusion HotFix Issue Resolved


The ColdFusion security hotfix in the bulletin APSB10-11 was causing problems with CF 8 64-bit.

It’s now fixed and you may download from adobe’s site.

http://kb2.adobe.com/cps/841/cpsid_84102.html

Bookmark and Share

Tags: , , ,

Security Update Available for ColdFusion 8 and 9


Adobe releases security update for ColdFusion 8 and 9.

ColdFusion : Security Bulletin APSB10-11

ColdFusion Update

Please see comments

Bookmark and Share

Tags: , , , ,

Security update available for Shockwave Player


Adobe released a security update for Shockwave Player:

Security Bulletin APSB10-12

Adobe Shockwave Player

Bookmark and Share

Tags: , , ,

ColdFusion : Security Bulletin APSB10-05


ColdFusion Security issue related to BlazeDS. Effects 7,8,and 9.

Visit Adobe’s bulletin page and follow the instructions to update your server.

Bookmark and Share

Tags: , , ,

Technical Cyber Security Alert TA09-343A


National Cyber Alert System
Technical Cyber Security Alert TA09-343A

Adobe Flash Vulnerabilities Affect Flash Player and Adobe AIR

Systems Affected

  • Adobe Flash Player 10.0.32.18 and earlier versions
  • Adobe AIR 1.5.2 and earlier versions

Here is the link.

Bookmark and Share

Tags: , , , ,

Get Adobe Flash playerPlugin by wpburn.com wordpress themes