Adobe released a security hotfix on 10th August 2010 and classed it as “important”. However, if security is even moderately important to your ColdFusion server, the file system, database and network then you must think of this hotfix as CRITICAL. Just to clarify, this is CRITICAL. An HP security expert has blogged about it and It also caught the eye of The Register.
Hackers have proven how easy it is to use a vulnerability in CF 7, 8 and 9 to gain access to the CF Administrator. Code to perform the hack has been made freely available (which I won’t directly link to, but others have). Mike Bailey tweeted “It works and it’s scary.” Someone else chimed in and showed how you don’t even need to hack the Administrator’s password by using a cheeky bit of JavaScript.
Why is this really bad? Well, once you have access to CF Admin you can run scheduled tasks to access the OS. Someone has kindly(?) written an FAQ explaining how it works and why it’s so bad.
Now that the world knows how to hack it, everyone running CF must now patch their server. Adobe need to hammer home the seriousness of this problem and how critical the hotfix is. “Important” doesn’t stress it enough.
If you have already made the “administrator” directory inaccessible to the Internet or IP protected it then you should be safe, but it’s a good idea to still apply this critical hotfix.