http://www.theregister.co.uk/2010/08/16/adobe_coldfusion_vuln/ By Dan Goodin in San Francisco The Register 16th August 2010 A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software. In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems. But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What's more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out. “This attack can lead to a full system compromise, so let's make sure we're clear,” HP researcher Rafal Los wrote here. “It's not just that you can poke around the system files of the machine you've attacked (which is highly likely a MS Windows server); it's also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.” [...] -- Visit InfoSec News! http://www.infosecnews.org/Received on Tue Aug 17 2010 - 00:27:15 PDT
This archive was generated by hypermail 2.2.0 : Tue Aug 17 2010 - 00:32:50 PDT