The recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.
Last week’s bulletin published by Adobe rated the directory traversal vulnerability “important,” stating that the directory traversal vulnerability “could lead to information disclosure”. At least 2 researchers have said the security vulnerability should have been rated critical because it allows attackers to seize control of servers. The vulnerability provides the ability to download files, extending to the ColdFusion server’s password file, giving an attacker the ability to take control of the server and potentially infect visitors with malicious software, according to the post on the GnuCitizen blog. Attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.
An attack using this vulnerability can lead to a full system compromise. It is not just that you can poke around the system files of the machine you’ve attacked, it also offers the ability to upload scripts that can compromise the system, or even poke around the database natively. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.
More than 12,000 companies still use the Web application platform on more than 125,000 servers, including BMW, Bank of America, and AT&T.