Feeds

Hackers: 'ColdFusion bug more serious than Adobe says'

'It works, and it's scary'

Boost IT visibility and business value

A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What's more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let's make sure we're clear,” HP researcher Rafal Los wrote here. “It's not just that you can poke around the system files of the machine you've attacked (which is highly likely a MS Windows server); it's also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that's not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”

Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.

Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.

Adobe on Monday issued the following statement:

“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”

The vulnerability has attracted the attention of plenty of other people in the security field, including Mike Bailey, a penetration tester and researcher specializing in web applications.

“I[f] you haven't played with the ColdFusion attack yet, I recommend you do so,” he tweeted Saturday. “It works, and it's scary.” ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?