ColdFusion – just another security hole…

by kai on 16/05/2013



It’s getting to the point where people who’re looking at this must be saying: “Man, this is getting really embarrassing for Adobe”.

There’s another (unspecified) security hole that users were made aware of May 8, 2013. The patch was then announced for and released on May 14, 2013, for the days in-between there was only the recommendation to lock away most of /CFIDE (that’s what you essentially should do anyway imho):

/CFIDE/administrator
/CFIDE/adminapi
/CFIDE/gettingstarted

Here are some relevant links:

http://blogs.adobe.com/psirt/2013/05/security-advisory-for-coldfusion-apsa13-03.html

http://www.adobe.com/support/security/advisories/apsa13-03.html

http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html

http://blog.edgewebhosting.net/2013/05/0-day-exploit-for-coldfusion/

Adobe seriously needs to get their act together, the amount of holes and leaks in the whole /CFIDE subsystem is getting way out of hand. They need to urgently rearchitect this part of the CF server.

Without going into details – there should be a clear separation between the “administrator” area/functionality and “stuff” that’s needed for certain tags to function. The latter would be for instance the various .js files for client-side validation, files needed for cfgraph/cfchart and some others. I the recent series of security issues and hacks leads to some rethinking on how this has being built on Adobe’s end. I’d be more than happy to give up one or more of the canonical “new features that demo well but hardly anyone ever uses” for some serious work going into this pain point.

Just saying, YMMV.

Jonathan Weavers July 5, 2013 at 4:36 pm

Hey Kai –

Your last post [ColdFusion – just another security hole…] was freaking awesome. I have gone ahead and added your stuff to my Feedly account. Please keep me updated if you post anywhere else.

Keep rocking –

Jon

Comments on this entry are closed.

Previous post:

Next post: