Adobe acknowledges critical hole in ColdFusion
Adobe says it has identified a critical vulnerability, which is reportedly already being exploited in the wild, in ColdFusion 10, 9.0.2, 9.0.1, 9.0 and earlier versions on Windows, Mac, and UNIX systems. In a security advisory, Adobe says that the vulnerability permits unauthorised users to remotely retrieve files on the server. The company says it is in the process of testing a fix for the problem and expects it to be available next Tuesday, 14 May.
In the interim, the company offers a mitigation. Administrators should restrict public access to the directories CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted. For details of how to do this, Adobe directs users to the ColdFusion 9 Server Lockdown Guide
and ColdFusion 10 Server Lockdown Guide. The flaw was reported to Adobe through Marcin Siedlarz of Symantec Security Response and is being referenced as CVE-2013-3336.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
