Adobe's ColdFusion may seem like a legacy product, but in fact more than 12,000 companies still use the Web application platform on more than 125,000 servers, including BMW, Bank of America, and AT&T. As with any other widely used platform, vulnerabilities and patches are part of the deal -- but the way Adobe addressed a recently discovered flaw may not help its efforts to renovate its security reputation.
Last Tuesday Adobe released a hotfix and security bulletin to fix the ColdFusion flaw, giving the issue its No. 2 ranking, "Important," because the company maintains that the flaw only allows an attacker to read known files on a Web server.
Those responsible for maintaining ColdFusion servers might want to raise that priority to "Critical" status. Late last week, a security researcher revealed that the ability to download files extends to the ColdFusion server's password file. Access to the file gives attacker the ability to take control of the server and potentially infect visitors with malicious software, according to the post on the GnuCitizen blog.
"Exploit code (was) published a few days ago, so I expect numerous attacks [are] taking place 'in the wild' now," said Adrian Pastor, a security consultant at Corsaire and the author of the post.
Adobe patched the directory travesal issue last week, after it was reported by ProCheckUp, a security firm. However, the company apparently neglected to consider the straightforward way of exploiting the flaw to gain remote administrator access to a server. The attack does require that the admin console be accessible from the Internet.