The Hacker News Reader! Get Free THN MAGAZINE, Most Informative IT Security Magazine [ 
ColdFusion Zero day vulnerability : Remote File Disclosure of Password Hashes
Yesterday Blackhatacademy Released Fully automated MySQL5 boolean based enumeration tool. Today Another post expose the most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the Administrator panel. The ColdFusion Administrator panel can then be used to write out a shell.
ColdFusion Markup Language is an interpreted language utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly LFD and SQLi. ColdFusion scripts are commonly run as an elevated user, such as NT-Authority\SYSTEM (Windows) or root (Linux), making them especially susceptible to web-based attacks.
Patching a ColdFusion instance from the LFD->Bypass->RCE exploit can only be done on ColdFusion 8. No other versions can be patched. That being said, the official Adobe patch can be downloaded here.
Yesterday Blackhatacademy Released Fully automated MySQL5 boolean based enumeration tool. Today Another post expose the most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the Administrator panel. The ColdFusion Administrator panel can then be used to write out a shell.
ColdFusion Markup Language is an interpreted language utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly LFD and SQLi. ColdFusion scripts are commonly run as an elevated user, such as NT-Authority\SYSTEM (Windows) or root (Linux), making them especially susceptible to web-based attacks.
Patching a ColdFusion instance from the LFD->Bypass->RCE exploit can only be done on ColdFusion 8. No other versions can be patched. That being said, the official Adobe patch can be downloaded here.
Share This news with your friends on Facebook/Twitter/Forums
If you enjoyed The Hacker News, Make sure you
subscribe to our RSS feed. Stay Updated about latest Security threats, Hacking threads & IT Issues from all over the world.!
The content of This News ColdFusion Zero day vulnerability : Remote File Disclosure of Password Hashes and Other Information is provided by Various Sources (Emails, Messages, etc..) for Educational Purpose & Security Awareness only. Please Feel free to Contact Us. Thank You !
