Adobe's ColdFusion may seem like a legacy product, but in fact more than 12,000 companies still use the Web application platform on more than 125,000 servers, including BMW, Bank of America, and AT&T. As with any other widely used platform, vulnerabilities and patches are part of the deal -- but the way Adobe addressed a recently discovered flaw may not help its efforts to renovate its security reputation.
Last Tuesday Adobe released a hotfix and security bulletin to fix the ColdFusion flaw, giving the issue its No. 2 ranking, "Important," because the company maintains that the flaw only allows an attacker to read known files on a Web server.
Those responsible for maintaining ColdFusion servers might want to raise that priority to "Critical" status. Late last week, a security researcher revealed that the ability to download files extends to the ColdFusion server's password file. Access to the file gives attacker the ability to take control of the server and potentially infect visitors with malicious software, according to the post on the GnuCitizen blog.
"Exploit code (was) published a few days ago, so I expect numerous attacks [are] taking place 'in the wild' now," said Adrian Pastor, a security consultant at Corsaire and the author of the post.
Adobe patched the directory travesal issue last week, after it was reported by ProCheckUp, a security firm. However, the company apparently neglected to consider the straightforward way of exploiting the flaw to gain remote administrator access to a server. The attack does require that the admin console be accessible from the Internet.
When asked for comment, Adobe reaffirmed the "Important" rating, offering this boilerplate response: "Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices."
Pastor confirmed that the attack works on an older version of ColdFusion, but in its advisory, Adobe says that the latest version of the product is also vulnerable to attack, even though exploitation is more difficult due to some proactive filtering.
The ColdFusion password file is encrypted by default, but an attacker with access to the file can break the passwords via a dictionary attack. Another serious security issue allows attackers to use merely the stored hash of the password to gain access to the administrator console, Pastor says in an update to his post. "The attacker doesn't need to crack (the hash) and obtain the password at all," Pastor says.
Given the recent drubbing Adobe has gotten over PDF and Flash vulnerabilities, the company might want to more accurately spell out the risks to its ColdFusion platform as well.