Kevla, according to an Aussie security mag article, the site “was accessed through an unpatched Adobe ColdFusion vulnerability”. (http://www.scmagazine.com.au/News/309766,anonymous-to-release-40gb-cac he-from-hacked-isp.aspx)
While it doesn’t tell us “what that vulnerability was”, and I appreciate you may want to know specifically what it was, I’d read it as “the problem was one for which a patch had been made available, but they had not applied it”. And I’d suggest that’s the most important lesson that anyone should take from this. :-)
A CFer worried whether they need to fear the same break-in, and about how they may protect themselves, should recognize that there are indeed many vulnerabilities that admittedly do exist, especially if one has not applied any of the many CF security hotfixes (and updated versions) that Adobe has offered to address such vulnerabilities.
But even beyond that, there are some vulnerabilities that they cannot/do not protect against within the s/w themselves, such as sql injection. For that, many sites are vulnerable simply because they’ve never implemented what was needed (code-wise, or at the web site or web application firewall level).
I appreciate, Kevla, that you may not have been asking for info on CF security in general. :-) Still, I’ll offer the following as much for others (and if perhaps it may help you, too.)
Going back to those fixes provided by Adobe, sadly, many shops seem to be ignorant of them, or assume they don’t need to worry about them, or they just never bother to add them—until they’re hacked. Of course, it’s up to people to apply the fixes. The CF security fixes are listed here: http://www.adobe.com/support/security/#coldfusion. Something that’s not obvious there is that generally you need only apply the latest fix (which will have 2 sets of steps, one for those who have and one for those who have not applied previous security hotfixes.)
(Now, before someone complains that Adobe should somehow make it possible for us to know of such fixes without “having to go hunt for them”, note that CF10 does finally add an automated hotfix mechanism, which will let people know right in the CF Admin when there are new fixes.)
Beyond that, there are several other resources that address CF and security, all of which are required reading for anyone interested in CF and web site security (which really, we all should be):
There’s even a nice page of CF security info on an OWASP wiki page:
There’s also a nice free tool which can check your server for certain known vulnerabilities (not all), and give you info on what you need to address the problems:
This is from long-time CF community contributory Pete Freitag, and his company foundeo.com (both noted for sharing CF security expertise). Note there is also a commercial edition that can look even more closely by you adding a small CFC to your server that his tool can then talk to.
His company also offers the excellent FuseGuard Web application firewall (http://foundeo.com/security/), a separately purchased product, which is one of the ways I allude to at the top, with respect to how one can put in place protections beyond the fixes, and what one may code themselves. (Before someone says, “Adobe should just buy and provide that”, just know that they are of course well aware of it, and there are pros and cons to them bundling such a web app firewall, and for now they choose not to do so.)
Finally, I offer a list of many different kinds of security tools of interest to CFers, also broken down into the different levels at which one may implement protections, at http://www.cf411.com/security.
I appreciate, Kevla, that all that wasn’t the direct answer to your question (though the first part about it being “unpatched” may have been news) , but I do hope the other info may help you or others.
[insults removed by admin]
...here's the immediately useful part:
List of security hotfixes for Cold Fusion: http://www.adobe.com/support/security/#coldfusion
Applying the most recent hotfix -should- patch whatever vulnerability was exploited in the case you mentioned. The article Charlie referenced does imply that a patch exists for this vulnerability.
Another page I like to keep track of: http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9
This page lists the major "Security Rollup" patches to CF. You won't get the absolute latest hotfixes here, but some might prefer to just install these rollups when they come out as opposed to every individual hotfix. The advantage to the rollups is that they are better tested and supported, and much less likely to introduce collateral problems. If you look at the technotes for the individual hotfixes, you'll notice that it's not unusual for Adobe to put out hotfixes to fix problems caused by previous hotfixes. Generally with the rollups you won't run into that kind of issue.
Wow, David, really? I tried to help the OP, and actually went "above and beyond" merely again to *help*. And you want to call me out for that?
As for "covering Adobe's behind", I don't see how what I wrote does that. I was just bringing the OP (or anyone worried about security) up to speed on the various options and circumstances to be aware of, since he seems to be expressing concern over a publicly announced CF security breach.
As for the admin's editing of your post, I had nothing to do with that. I am only today seeing these notes of yours and Adam from since I last replied. Since I get them by email, I saw your complete first post (the one now edited on the site). I also saw your other one, now deleted, accusing me of "running to the admin and crying because I was mean to him". I did neither, and I'm going to let that and your venom in the first note go rather than respond (in defense or in kind).
As I said in the other thread where you've berated me, I stand by all I've written in these forums to serve as a defense of what I do here and why. And I really do think you're digging your own hole here, in terms of how you will be perceived. Why not just let it go? Ignore my posts if you must.
But I'll tell you that I will not be "remembering your offense". I don't have the time, patience, or interest to keep track of such things. So if you someday post a question asking for help, I'll offer an answer if I sense it may be valuable for you or others, just as I would for anyone else. Really, I'm only here trying to help.
Ah, Charlie, I was worried about you! I thought maybe you were sick or something, but now reading your reply, my faith is restored.
I'm going to let that and your venom in the first note go rather than respond
He says in his 5 paragraph response. Thank you, Charlie! You're a saint.
Europe, Middle East and Africa