Adobe has patched a hole in ColdFusion to close decisive vulnerabilities which allow the hackers to bypass authentication and remotely hijack servers. Here is a brief note on how Adobe patches the four flaws exploited in wild.
Adobe has recommended a series of alleviations in a Jan. 7 advisory as a stopgap till the hotfixes were released.
Among the four vulnerabilities, two of them affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0. The other two flaws do not have any impact on ColdFusion 10. The patch is for Windows, UNIX and Mac OS X.
In its advisory, Adobe said that these patches address the flaws which could allow the attackers to remotely mislead authentication controls, therefore allowing the attacker to take control on affected server.
The hotfix or patch repairs the following vulnerabilities –
- 2 authentication bypass flaws – CVE 2013-0625 and CVE-201-0632
- Directory traversal – CVE-2013-0629
- Data leakage flaw – CVE-2013-0631
The vulnerabilities, CVE 2013-0625 and CVE-2013-0629 affect the ColdFusion users who do not have a password set or have no password protection enabled.
It also worked to develop hotfixes for other vulnerabilities. Also the users were advised to follow certain steps to check the risks associated with those flaws.
The mitigations include –
- Creating credentials for Remote Development Services (RDS), different from those used for administrator account, followed by disabling RDS
- Disable access from outside to /CFIDE/ administrator, /CFIDE/ componentutils and /CFIDE/adminapi directories
- Deleting unnecessary ColdFusion components or templates from webroot directories or CFIDE
- Enabling access control restrictions for internal applications and administrator interface
- Installing all the ColdFusion hotfixes so far available
- Following the best security practices for ColdFusion version 9 and 10
We at ITLANDMARK with expertise web development team can help you hotfix the vulnerabilities detected on your site and therefore help you create dynamic web application. This page also has a contact form through which you can contact us for our quality services. We assure you to offer the best ColdFusion services required for your website.