Yet another CFIDE vulnerability!

Agreed. Adobe needs to create a tool to do most of the 50+ page lockdown guide. In my experience, only the geekiest of diehards and victims of hacks will take the time to walk through a guide that large and perform the necessary lock-downs. We have on our servers (and more) because we're a high risk target, but I'm certain most CF installations do not.

To me, creating this tool would be a high priority project on Adobe's end just to avoid the "ColdFusion is insecure" black eye that the product gets every time the next CFIDE vulnerability is discovered.

Hello Steve,

Please report any ColdFusion vulnerabilities to Adobe Product Security Incident Response Team at psirt@adobe.com.

Regards,

Anit Kumar

I'm not reporting a new vulnerability, I'm just trying to point out to you (Adobe, not you personally) that something should be done to help the average user more easily lock-down a server. If the installer didn't publish the CFIDE virtual directory by default and instead only publish the scripts directory, this would go a long way into better securing an installation. That's really all I'm trying to convey.

Thanks for HELP to average user, as you said.
My knowledge is in CF development language not in environment.
So, I have a lot of trouble on my server. It has been hacked.
Found the famous h.cfm and i.cfm files
I tried them on local, h.cfm can destroy a server. I still run CF V9.0 in 64bits

Does update 9.01 + hotfix 2 will solve this problem ?
I found 9.01 update for 64bits,
but not hotfix2 for 64 bits.

Can I apply them without trouble. I am always afraid when applying updates.

I am really afraid of loosing the server and all my clients..

Thanks for recommandation and help.

The first thing that you need to do is lock down you server as per the Security Lockdown Guide. You are inviting the hackers yourself by not locking down the server. One of the simplest things to do is to make sure that your ColdFusion administrator and adminAPI is blocked from external access. Refer to the lockdown guide on how to do this.

And you must make sure to apply the latest security update. Cumulative hotfix 2 is not the latest security update for 9.0.1.

You should be on CHF 4 + latest security hotfix.

CHF4 - http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-4-coldfusion-901.html

Latest security hotfix - http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html

I am not enough knowledgeable in these practices to do the LockDown the Server,
seems to me very complexe.
And how many hotfix need to be installed ? I am confused, also are they valid for a 64bit CF version ?
Then under production, I do not want to take any risk.

Other question :

Does CF10 solve all these security problems ?

Thanks for urgent Help,
Hackers are looking for the h.cfm file every day.

In this situation, very HOT, I think Adobe should help closely customers who are not much familiar with
environment of CF. I am basically a developper not a system engineer, and I do not want to play with
the production machine. (i already loose 4 weeks of devlopment with this problems)

I looked at the  LockDown the Server procedure, as my experience,

written procedure never work fully as it is described,
Then I take the risk of having the server or CF down, and not able to run it up back.

Where can I find a help hand by hand,
to install  updates 9.01
then the right sequenced hotfix (or a cumulutative hotfix)
And these for a 64bits CF version.

Are you from Adobe ?

Thanks for cooperation.

@plarts,

I don't think Adobe provides the kind of assistance you are looking for (in implementing the lockdown guide), but there are consultants out there who can.  I recommend contacting Charlie Arehart (http://www.carehart.org/consulting/).  Charlie also has some great blog entries about installing updates; you might start here: http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied.  If you want an automated way of installing updates/hotfixes (the process of installing them pre-ColdFusion10 is rather tedious), look at the Unofficial Updater 2.

As to the question about CF10 solving security problems, the answer is generally yes.  You still need to lock it down (and Adobe has provided an updated lockdown guide), but the updater system built into the CF Administrator greatly simplifies installing security updates.  Depending on what OS you are running on, it can be literally a one-click process (Windows requires a little bit more work, but not much).

HTH,

-Carl V.

Thanks for the answer,

I will think  about all of this.
The best to do.
I will see upgrading to CF10,
For the moment I have put cfabort in CFIDE directories application.cfm
(keeping original one). It may be the best and simplest solution.

As you are from ADOBE,

Could you help me to update my CF9.0
I may need to update first Windows 2008 server to SP1 ?

Really, I am  afraid of update and hotfix, I am in production,

and so afraid to break the server, as I manage it remotly.

(i have seen so many update breaking software in my computer life).

The help would be :
from the current version (Windows and CF),

define clearly the first step, 2nd step, 3trd step, and so on.
Make sure at each end of step, all is alright. (verifications).

And make sure at the end that the vulnerability have disappeared ?

Else , I stay with my CFABORT, which is very efficient. Even if few tags are not working.

Also could you give me the link for the upgrade CF9.0 to CF10.?? in 64bits.

I did not find it (in 64 bits).

Thanks for your answer.

We have already given very detailed step by step instruction in the security bulletin and the technote. If you need any further assistance, you can reach out to support or you can get someone from the community who is an expert on locking down the server.

You can also take a look at Charlie’s response to your other thread.

BTW, CFABORT is not the answer to security vulnerabilities and therefore I would not recommend you to do that. The best thing to do it is to lockdown the server and be on the latest security hotfix.

Really, I do not know where to start on.

Too complicated to me, and no time for this,
And afraid to make a mistake in all the steps to go.
I am developping sites and products, I am not a system enginneer.
I will look to get someone from the Community to help me.

For the moment the Server is fine, stable, no more bad upload coming.

But the vulnerabity is still there.
As said, it comes from the product, I do not understand why that is the customer who pay
the consequences ? (4 weeks lost in understanding what happens, and trying to stop the hacking).

Also, I use the French Adobe site, and trying to get the CF10 upgrade from CF9.0
This is fully unclear, I will try to call them by phone.
I have seen also a problem with the CGI variable PATH_INFO missing in CF10 with IIS7 ?

Thanks for any help from Adobe.