A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software. In a bulletin published last week, Adobe rated the directory traversal …
Blimey, I thought we'd spotted and ironed out all these types of problems back when FrontPage Server Extensions were in the wild!
Another reason why coldfusion should not be run on a server
We used to have a very short list of banned applications that customers were not allowed to install on managed OS servers in our data centre because they presented an unnaceptable risk to other customers and our infrastructure. It was not that those apps on the list presented security vulnerabilities but that they actually were security vulnerabilities, every app on the list was top in its category for being fundamentally and irreparably insecure from the ground up, no point wasting anyones time trying to secure it.
The list was:
Be ahead of the game and secure the admin directories
This vulnerability won't affect those using ColdFusion who KNOW how to secure the server. Basically all of the directories under CFIDE need to be inaccessable to the Internet or IP secured, apart from essential files that are expected to be served to clients. The experienced CF users would have done that straight after installing it.
Like any server side service it can be a chink in the armour if you don't know what you're doing with it.
Adobe were quick to release a hotfix for those who haven't tightened things down, but I echo the criticism that they failed to emphasise the critical nature of it. The Reg has done CF users and system administrators a service by pressing the fire alarm button.
@The Cube - your list must have been drawn up by someone who doesn't have much experience with ColdFusion. I have a list of dangerous things not to drive: an articulated lorry, a ferry, and a fighter jet. Needless to say I'm clueless about these but those who specialise in driving/piloting them do so very safetly.
When your company name has become an invective, you have...arrived*?
"Someone just discovered a new security hole in $browser!"
"How bad is it? Important? Critical?"
"****. Well, I guess we are going to have roll out patches tonight..."
*For inverse values of "arrived."
Can someone explain
I'm not too cluey in this area but can someone explain to me the circumstances under which you would use ColdFusion rather than any.other software and what it is that it offers you over and above alternatives?
@Mark65 - I used to love it.
I used a bit of CF back in 2002 and before, I loved it.
The way that custom tags flow together and work was absolute magic. Its got a strong set of libaries and if I rember at all correctly, is highly scaleable.
The main reasons not to use it now for me, is its so much more expensive than ASP.net, and I love that even more. Still I think if you had alot of CF stuff set up, and had stumped up the licencing for it then it would make a great system.
It's an excellent platform
Cost has been CF's biggest problem, when most competing platforms are free.
In its favour is it's very quick to develop and maintain web apps. Scaling is great and server management is a breeze.
We're mostly a Java shop now but we've still got about 20 CF servers in production. Our or our customers' sysadmins look after Windows updates but the CF side is managed (very well) by developers.
I've very fond memories of ColdFusion but I'd not want to look for a job without something else on my CV
You must mean 'free' - one of the open source implementations of the open language spec. is now under the Apache groups watch; http://www.getrailo.com/
Adobe - look it up on Wikipedia
sun dried mud walls. Not even waterproof!
The only time I looked at CF was when we were asked to replace a auction web site written in CF. It seems the site would run for 20+ hours and then crash - this was a long time ago.
Funny how things change but remain the same :-)
I'm a CF developer, and it's an incredibly strong language with a very easy to learn basic syntax right up to AJAX, mapping, graph, PDF support, LDAP, MS Exchange.. etc. etc. built in. Some of these make it an excellent choice for intranet apps rather than public facing ones. (Direct printing of PDF created reports or invoices for instance)
On my production servers I have these directories closed off unless I need to log in, which I then promptly turn off after I've done what needs to be done.
Fair point that it is more expensive than a standard LAMP setup, but in the right hands the RAD it provides far outweighs the cost.
You can set them them to be accessible from localhost only.
How dare you submit informed posts, where your knowledge clearly puts you at an advantage.
In future, please refer to Jacqui's post for reference, where you're advised to confuse web applications with server software, and earlier and later versions of said software.
Shame on you.
Vulnerabilities exist in all server side platforms
I'm a Coldfusion evangelist, I basically think its great. It is a robust extensible scripting language that allows you to build and deploy applications quickly and easily. It also integrates very well with most other web based languages.
I also think that its a great thing that these sort of things are brought out into the open. Then there is more pressure for hotfixes to be built and released.
Coldfusion is relatively mature now (ok not as mature as perl or python) but it makes .net look like an infant in 'Years' out in the wild. I think if you count the historic instances where you've seen an article like this addressing CF security issues you'll find it to be a lot less than some other server side layers.
I strongly agree with other comments made here, installing any software as 'Vanilla' and leaving it in an out-of-the-box configuration is asking for trouble. Learn to secure your environment whatever it is.
Its not perfect, but then what web technology is?
its all about the administrator. how well he can secure the server. i havent done much CF anymore. but i still think its great. php, perl, java, all web languages gets security patches now and then.
nothing on earth will ever be perfect. especially web techs. but most important thing is to share what we know so we can fix it or take proper precautions. unlike adobe...