Cross-site vulnerabilities have been identified in ColdFusion 9. You should therefore install the latest security and cumulative hot fixes. You should also use Application.cfc in place of Application.cfm.
Thank you for the reply, but I clearly stated that, other than this instance, I do not use an Application.cfm and that I have already removed it.
I posted here to gain insight to how the [Application.cfm] exploit worked. Not how to avoid or fix it. I did that and said so.
My question is, - can the application.cfm be tricked into modifying itself? How is the mere existence of this file a danger?
Thanks in advance.
Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).
Going back to the reason you added an Application file in the first place, you can still achieve that with BKBK's suggestion of using an Application.cfc file. You can use getTickCount() in onRequestStart() and onRequestEnd() to time your pages. This will give you the number of milliseconds. I'm not sure if ColdFusion's DateTime objects are that precise.