Adobe vulnerability: Pen test firm finds ColdFusion admin page flaw

Article

Adobe vulnerability: Pen test firm finds ColdFusion admin page flaw

London-based penetration testing company ProCheckUp Ltd. has discovered a vulnerability in Adobe Inc.'s ColdFusion programming language that leaves millions of companies open to attack.

Researchers at ProCheckUp were able to access every file -- including usernames and passwords -- from a server running ColdFusion by using a directory traversal and file retrieval flaw found within ColdFusion Administrator, the administration program for ColdFusion servers. A standard Web browser was used to carry out the attack, and no knowledge of the admin password was needed.

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

According to our research, 35% to 40% of those companies using ColdFusion have the administration page exposed.
Richard Brain
Managing directorProCheckUp Ltd.
ProCheckUp managing director Richard Brain said a competent attacker would be able to exploit the Adobe vulnerability to steal files from the server and gain access to secure areas as well, eventually being able to modify content or shut down the website or application.

According to Adobe's website, ColdFusion is used by Bank of America Corp., JPMorgan Chase & Co., The Federal Reserve Bank and The United State Senate, as well as IT security companies Symantec Corp. and McAfee Inc.

Brain said his research showed that between 10 million and 20 million websites are written using ColdFusion and are configured using a typical ColdFusion admin page. "According to our research, 35% to 40% of those companies using ColdFusion have the administration page exposed, which could allow someone to read any file on the file server," Brain said.

ProCheckUp informed Adobe of the vulnerability in April, and on Aug 10 the company produced a patch. "Adobe has been extremely good. They have worked very fast compared with some companies," Brain said. Procheckup has released an advisory about the vulnerability and will delay publication of the actual exploit code for seven days to allow administrators to apply patches.

But Brain warned that while Adobe's patch applied to versions 8 and 9 of ColdFusion, most users still appear to be on versions 5, 6 and 7, for which a patch has not been released.

"It is an absolutely huge vulnerability. You are looking at about 10 to 20 million websites that can easily be defaced by using it," he said. "I would advise anyone running ColdFusion 7 or below to prevent access to the ColdFusion administrator directory. That means changing the Web server console settings to prevent access to the CFIDE directory."