Adobe acknowledges critical hole in ColdFusion
Adobe says it has identified a critical vulnerability, which is reportedly already being exploited in the wild, in ColdFusion 10, 9.0.2, 9.0.1, 9.0 and earlier versions on Windows, Mac, and UNIX systems. In a security advisory, Adobe says that the vulnerability permits unauthorised users to remotely retrieve files on the server. The company says it is in the process of testing a fix for the problem and expects it to be available next Tuesday, 14 May.
In the interim, the company offers a mitigation. Administrators should restrict public access to the directories
CFIDE/gettingstarted. For details of how to do this, Adobe directs users to the ColdFusion 9 Server Lockdown Guide and ColdFusion 10 Server Lockdown Guide. The flaw was reported to Adobe through Marcin Siedlarz of Symantec Security Response and is being referenced as CVE-2013-3336.