Adobe warns of critical ColdFusion hole being exploited in the wild

Summary:ColdFusion developers have been warned by Adobe to set usernames and passwords for the remote development service and to disable access to certain directories in order to avoid risk of being compromised.

Adobe has warned that a critical vulnerability in its ColdFusion web app development platform for Windows, Mac and Unix is being exploited by attackers.

The software company warned customers about the security hole in an advisory on Friday, adding that there was evidence that it is already being exploited against ColdFusion users.

The vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631) affect the 10, 9.0.2, 9.0.1 and 9.0 versions on all platforms and would allow an unauthorised user to remotely bypass authentication controls in an attempt to take control of a server. Adobe also said the holes could allow an unauthorised user to access restricted directories or glean information from a compromised server.

The company also noted that two of the vulnerabilities only affect ColdFusion users who have no password set or have not enabled password protection at all.

Adobe said it is working on a patch for the vulnerabilities, which is expected to be available for all platforms on 15 January. Until then, the company recommends configuring a username and password for the Remote Development Service and to disable external access to certain directories (/CFIDE/administrator, /CFIDE/adminapi, /CFIDE/componentutils) for hosted sites.

 

Topics: Security, Software Development

About

With a psychology degree under his belt, Ben set off on a four-year sojourn as a professional online poker player, but as the draw of the gambling life began to wane his attentions turned to more wholesome employment.With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.