Adobe warns of critical ColdFusion hole being exploited in the wild

Adobe warns of critical ColdFusion hole being exploited in the wild

Summary: ColdFusion developers have been warned by Adobe to set usernames and passwords for the remote development service and to disable access to certain directories in order to avoid risk of being compromised.

SHARE:

Adobe has warned that a critical vulnerability in its ColdFusion web app development platform for Windows, Mac and Unix is being exploited by attackers.

The software company warned customers about the security hole in an advisory on Friday, adding that there was evidence that it is already being exploited against ColdFusion users.

The vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631) affect the 10, 9.0.2, 9.0.1 and 9.0 versions on all platforms and would allow an unauthorised user to remotely bypass authentication controls in an attempt to take control of a server. Adobe also said the holes could allow an unauthorised user to access restricted directories or glean information from a compromised server.

The company also noted that two of the vulnerabilities only affect ColdFusion users who have no password set or have not enabled password protection at all.

Adobe said it is working on a patch for the vulnerabilities, which is expected to be available for all platforms on 15 January. Until then, the company recommends configuring a username and password for the Remote Development Service and to disable external access to certain directories (/CFIDE/administrator, /CFIDE/adminapi, /CFIDE/componentutils) for hosted sites.

 

Topics: Security, Software Development

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • An Adobe Critical vulnerability

    Well who would have thought it.
    Alan Smithie
  • If there ARE any such users...

    Abobe should revoke their licenses to use the software. What users am I talking about? Why, any users who have not set the password. For the article clearly says:

    "The company also noted that two of the vulnerabilities only affect ColdFusion users who have no password set or have not enabled password protection at all."
    mejohnsn