Coldfusion Vulnerability

[insults removed by admin]

...here's the immediately useful part:

List of security hotfixes for Cold Fusion: http://www.adobe.com/support/security/#coldfusion 

Applying the most recent hotfix -should- patch whatever vulnerability was exploited in the case you mentioned.   The article Charlie referenced does imply that a patch exists for this vulnerability.

Another page I like to keep track of:  http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9

This page lists the major "Security Rollup" patches to CF.   You won't get the absolute latest hotfixes here, but some might prefer to just install these rollups when they come out as opposed to every individual hotfix.  The advantage to the rollups is that they are better tested and supported, and much less likely to introduce collateral problems.   If you look at the technotes for the individual hotfixes, you'll notice that it's not unusual for Adobe to put out hotfixes to fix problems caused by previous hotfixes.   Generally with the rollups you won't run into that kind of issue.

Kevla, according to an Aussie security mag article, the site “was accessed through an unpatched Adobe ColdFusion vulnerability”. (http://www.scmagazine.com.au/News/309766,anonymous-to-release-40gb-cache-from-hacked-isp.aspx)

While it doesn’t tell us “what that vulnerability was”, and I appreciate you may want to know specifically what it was, I’d read it as “the problem was one for which a patch had been made available, but they had not applied it”. And I’d suggest that’s the most important lesson that anyone should take from this.  :-)

A CFer worried whether they need to fear the same break-in, and about how they may protect themselves, should recognize that there are indeed many vulnerabilities that admittedly do exist, especially if one has not applied any of the many CF security hotfixes (and updated versions) that Adobe has offered to address such vulnerabilities.

But even beyond that, there are some vulnerabilities that they cannot/do not protect against within the s/w themselves, such as sql injection. For that, many sites are vulnerable simply because they’ve never implemented what was needed (code-wise, or at the web site or web application firewall level).

I appreciate, Kevla, that you may not have been asking for info on CF security in general. :-) Still, I’ll offer the following as much for others (and if perhaps it may help you, too.)

Going back to those fixes provided by Adobe, sadly, many shops seem to be ignorant of them, or assume they don’t need to worry about them, or they just never bother to add them—until they’re hacked. Of course, it’s up to people to apply the fixes.  The CF security fixes are listed here: http://www.adobe.com/support/security/#coldfusion. Something that’s not obvious there is that generally you need only apply the latest fix (which will have 2 sets of steps, one for those who have and one for those who have not applied previous security hotfixes.)

(Now, before someone complains that Adobe should somehow make it possible for us to know of such fixes without “having to go hunt for them”, note that CF10 does finally add an automated hotfix mechanism, which will let people know right in the CF Admin when there are new fixes.)

Beyond that, there are several other resources that address CF and security, all of which are required reading for anyone interested in CF and web site security (which really, we all should be):

http://www.adobe.com/devnet/coldfusion/security.html

http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf

There’s even a nice page of CF security info on an OWASP wiki page:

https://www.owasp.org/index.php/ColdFusion_Security_Resources

There’s also a nice free tool which can check your server for certain known vulnerabilities (not all), and give you info on what you need to address the problems:

http://hackmycf.com/

This is from long-time CF community contributory Pete Freitag, and his company foundeo.com (both noted for sharing CF security expertise). Note there is also a commercial edition that can look even more closely by you adding a small CFC to your server that his tool can then talk to.

His company also offers the excellent FuseGuard Web application firewall (http://foundeo.com/security/), a separately purchased product, which is one of the ways I allude to at the top, with respect to how one can put in place protections beyond the fixes, and what one may code themselves. (Before someone says, “Adobe should just buy and provide that”, just know that they are of course well aware of it, and there are pros and cons to them bundling such a web app firewall, and for now they choose not to do so.)

Finally, I offer a list of many different kinds of security tools of interest to CFers, also broken down into the different levels at which one may implement protections, at http://www.cf411.com/security.

I appreciate, Kevla, that all that wasn’t the direct answer to your question (though the first part about it being “unpatched” may have been news) , but I do hope the other info may help you or others.

/charlie