When asked for comment, Adobe reaffirmed the "Important" rating, offering this boilerplate response: "Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices."
Pastor confirmed that the attack works on an older version of ColdFusion, but in its advisory, Adobe says that the latest version of the product is also vulnerable to attack, even though exploitation is more difficult due to some proactive filtering.
The ColdFusion password file is encrypted by default, but an attacker with access to the file can break the passwords via a dictionary attack. Another serious security issue allows attackers to use merely the stored hash of the password to gain access to the administrator console, Pastor says in an update to his post. "The attacker doesn't need to crack (the hash) and obtain the password at all," Pastor says.
Given the recent drubbing Adobe has gotten over PDF and Flash vulnerabilities, the company might want to more accurately spell out the risks to its ColdFusion platform as well.