ColdFusion Server Attacks 2013

Happy New Year! So, a month after I first had to fix a customer's CF9 server due to the December 2012 Coldfusion exploit, and three weeks after Adobe released their HotFix for the vulnerability, I am still getting asked for help by others in the wider ColdFusion community who are not aware of Adobe's announcements - typically those people with 'legacy' ColdFusion applications that have moved onto other technologies or build their new sites on Railo servers. So here follows info so I can refer others here in future to save time...

And my tip for people that want to react quickly in future but don't spend much time around ColdFusion - follow https://twitter.com/coldfusion on Twitter, and lookout for the security updates there from Adobe.

A vast number of CF Servers were hacked over the last few weeks due to a vulnerability newly exposed over Christmas 2012, Adobe released a hotfix for this in January 2013:

http://www.adobe.com/support/security/bulletins/apsb13-03.html
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
And if you didn't have the latest updates installed before that, then best to also check:
http://www.adobe.com/support/coldfusion/downloads_updates.html

It does not affect Railo servers, but it could affect any ColdFusion Server which had not locked down public access to three specific folders within CFIDE. It’s common knowledge to lock down ‘CFIDE/Administrator’ access but this is the first time I’ve heard of it being necessary to lock down the ‘CFIDE/componentutils’ folder too.

If you can see the CF Admin login page here then you are likely to be vulnerable:

http://www.yourpublicdomain.com/CFIDE/Administrator/index.cfm

The links above follow through with all the relevant info, but for a quick check, if you RDP onto the server and inspect the CFIDE directory and see any of the following filenames present…

h.cfm
i.cfm
(or install.cfm if it was not there before)

…then you’ve been hacked.

This would not necessarily mean that anything malicious has been done yet – but it would mean it could have been, and would be a sitting duck for more until fixed as above.

If you have an already hacked server though then you have the added problem of trying to get back to a clean state. Depending upon how permissions had been setup for CF, IIS and directory security, they could have been loose on the entire server including Program Files and had access to run SQL on all databases configured in CF.

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment

Leave this field empty: