Windows 10 News and info | Forum
May 30, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Update ColdFusion Now, Critical Zero-Day Bug Exploited in the Wild  (Read 126 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31435

I Do Windows

WWW Email
« on: March 03, 2019, 03:21:42 PM »

Adobe today released emergency updates that fix a critical vulnerability for the ColdFusion web app development platform. The bug can lead to arbitrary code execution and has been exploited in the wild.

The security issue allows an attacker to bypass restrictions for uploading files. To take advantage of it, the adversary has to be able to upload executable code to a directory of files on a web server. The code can then be executed via an HTTP request, Adobe says in its security bulletin.

Critical bug exploited

All ColdFusion versions that do not have the current updates are affected by the vulnerability (CVE-2019-7816), regardless of the platforms, they are for.

Charlie Arehart, an independent consultant credited for reporting the vulnerability, told us that he discovered the bug when it was used against one of his clients.

After identifying the attacker's approach, he reported it to Adobe along with a proposed solution. The company was prompt in its response and released a fix "within days," Arehart told BleepingComputer.

The consultant did not share any details about how the hackers managed to carry out the attack, for fear the information could be used by other threat actors on unpatched servers; "getting folks to implement this fix is of critical importance," he said.

However, he believes that a skilled attacker "will be able to connect dots" in Adobe's security bulletin and find a way to exploit the glitch.

Update or mitigate

If applying the latest updates is not possible at the moment, one method to mitigate the risk is to create restrictions for requests to directories that store uploaded files. Developers should also modify their code to disallow executable extensions and check the list themselves, as is recommended by the Adobe Coldfusion guidelines.

ColdFusion 2018 (update 2 and earlier), 2016 (update 9 and earlier), and ColdFusion 11 (update 17 and prior) are susceptible to attacks.

They also add the option "Blocked file extensions for CFFile uploads" to the server settings menu to create a list of extensions that should not be uploaded by the cffile tag/functions. This setting is important because it takes precedence to the application-level setting called blockedExtForFileUpload also introduced by these updates, which allows developers to blacklist the file extensions that should not be uploaded.

Credited for the reporting the vulnerability is Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog, Team. All of them are developers and support specialists.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page May 06, 2020, 02:23:38 PM