ColdFusion vulnerability more critical than first thought
Several security experts are claiming that the vulnerability in ColdFusion disclosed last week is more critical than Adobe is reporting. Adobe has classified the issue as 'important', probably because it's not a problem under the default configuration, but in practice there appear to be many non-default installations on which the vulnerability is exploitable.
The vulnerability allows arbitrary files on the server, including the password file password.properties, to be accessed via directory traversal. A Python exploit for accessing files on a vulnerable server has already been posted to Exploit-DB.com. ColdFusion versions 8.0, 8.0.1, 9.0, 9.0.1 and earlier for Windows, Mac and UNIX are affected.
The password file contains the CF admin password, in either plain text, or hashed form, depending on the configuration. By determining the password, an attacker can gain access to the ColdFusion server's administration interface and may be able to take complete control of the server. Users should attach the highest priority to installing the security update. A FAQ page on security blog GnuCitizen provides further information on workarounds.