Feeds

Hackers: 'ColdFusion bug more serious than Adobe says'

'It works, and it's scary'

Choosing a cloud hosting partner with confidence

A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What's more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let's make sure we're clear,” HP researcher Rafal Los wrote here. “It's not just that you can poke around the system files of the machine you've attacked (which is highly likely a MS Windows server); it's also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that's not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”

Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.

Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.

Adobe on Monday issued the following statement:

“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”

The vulnerability has attracted the attention of plenty of other people in the security field, including Mike Bailey, a penetration tester and researcher specializing in web applications.

“I[f] you haven't played with the ColdFusion attack yet, I recommend you do so,” he tweeted Saturday. “It works, and it's scary.” ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.