Adobe ColdFusion is a easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with “server contained installation” “like the earlier versions”, and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. Procheckup recommends however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have found the filtering can be bypassed.
Versions tested and found vulnerable
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
Hotfix available for ColdFusion (APSB10-18)
Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.