ITS ADVISORY NUMBER:
Vulnerability in Adobe ColdFusion Allows Unauthorized File Access (APSA13-03)
A vulnerability has been discovered in Adobe ColdFusion that could permit an unauthorized user to remotely retrieve files stored on a server. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining access to sensitive information.
It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild.
- Adobe ColdFusion 10
- Adobe ColdFusion 9.0.2
- Adobe ColdFusion 9.0.1
- Adobe ColdFusion 9
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High (if hosting a website using Adobe ColdFusion)
A vulnerability has been discovered in Adobe ColdFusion that could permit an unauthorized user to remotely retrieve files stored on a server. Using directory traversal techniques an attacker can gain access to directories containing sensitive files and information, including administrator account passwords. Successful exploitation allows remote users to access files stored within the CFIDE/administrator, CFIDE/adminapi, and CFIDE/gettingstarted directories.
It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild. Adobe expects to release a fix on May 14, 2013.
We recommend the following actions be taken:
- Install the appropriate vendor patch as soon as it becomes available after appropriate testing
- Disable external access to the following directories for all hosted sites:
- Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.
Acting Chief Information Security Officer
- Cyber Security Home
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
- Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal