Logged In As 
Anonymous User
 Quick Links 
Knowledge Base
Submit a Ticket
Get Tickets
View a Ticket
Agent Login
SmarterTicket Professional 2.7.2813  
Help
COLDFUSION PATCH REQUIRED.
AHPHOSTING IS NOT PERFORMING THIS UPDATE BY DEFAULT.
If you want your server patched for you a $100.00 fee will be accessed. Please post a support ticket and request this be done for you. Again a 100.00 fee will be billed to perform this on your behalf.

Hackers are able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack, knowledge of the admin password is not needed.

A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. According to Adobe’s website ColdFusion is used by Bank of America, JPMorgan Chase, Federal Reserve Bank and The United State Senate not to mention IT Security companies Symantec & McAfee.

Versions tested and found vulnerable:

  • ColdFusion MX7 7,0,0,91690 base patches
  • ColdFusion MX8 8,0,1,195765 base patches
  • ColdFusion MX8 8,0,1,195765 with Hotfix4.
How to patch

Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls.

ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-801.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0
1. Download CFIDE-8.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-8.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.
Knowledge Base
Look for answers to common questions
Submit a Ticket
Send in a new ticket to the department you wish
Get Tickets
Sends an email to you with a list of your tickets
View a Ticket
Examine the correspondence of a specific ticket
Agent Login
Login as an agent or admin of SmarterTicket
AHPHosting now offers Google Checkout to pay your invoices.

Pay your invoice online.

Copyright © 2003-2010 SmarterTools Inc. All Rights Reserved.