In association with heise online

09 May 2013, 12:35

Adobe acknowledges critical hole in ColdFusion

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

ColdFusion icon Adobe says it has identified a critical vulnerability, which is reportedly already being exploited in the wild, in ColdFusion 10, 9.0.2, 9.0.1, 9.0 and earlier versions on Windows, Mac, and UNIX systems. In a security advisory, Adobe says that the vulnerability permits unauthorised users to remotely retrieve files on the server. The company says it is in the process of testing a fix for the problem and expects it to be available next Tuesday, 14 May.

In the interim, the company offers a mitigation. Administrators should restrict public access to the directories CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted. For details of how to do this, Adobe directs users to the ColdFusion 9 Server Lockdown GuidePDF and ColdFusion 10 Server Lockdown GuidePDF. The flaw was reported to Adobe through Marcin Siedlarz of Symantec Security Response and is being referenced as CVE-2013-3336.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit