cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Fixing Security Vunerabilities in CF8

ACS LLC
Enthusiast ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

I was looking at CF8 server vunerabilities, such as this one http://www.youtube.com/watch?v=CzXLLZ8ohZU where a user can easily get into the CF admin, add a shell and then basically do what they heck on our server.

Can anybody tell me how to make sure that this particular vunerability has been taken care of, is it part of a particular service pack, when I say service pack I mean cummulative hot fix, like CHF 4 http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html

CHF is just another term for a service pack I guess, and CHF 4 appears to be the last cummulative fix up.

My only concern is that if we had been compromised that even a hotfix would not remove any shells, although I could not find any, I am not a hacker, and those guys are very good at hiding things.

Ahh..after posting this I then saw the link to security

http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security

It looks like quite a bit of work, no wonder so many people jumped ship from CF

Appreciate any guidance on this

Thanks

Mark

TOPICS
Advanced techniques

Views

460

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 6 Replies 6
latest latest Jump to latest reply
pete_freitag
Enthusiast ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

Hi Mark,  The CHF does contain security fixes, but not all of them, you need to check out: http://helpx.adobe.com/security/products/coldfusion.html for a list of all the security patches and make sure you have applied them all.

If you keep your server updated it isn't too hard to manage, CF10 has improved this process a great deal with the hotfix installer.   CF8 is no longer supported by Adobe, so if you are still on CF8 you might want to upgrade to CF9 or CF10 so you have all the latest security hotfixes.

Finally my company makes a product that helps you see what patches you have applied and which ones you need to apply called HackMyCF.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ACS LLC
Enthusiast ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

In Response To pete_freitag

Funny enough I did try the hackmyCF earlier today, things didn't look TOO bad

I just did the CHF 4, and 1 security fix out of the 3

I guess that these are all I need to do?

http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security

I'll take a look at your link when I've done the other two

Applying patches and security fixes is like performing surgery! Every time I wonder.. is the CF going to start back up!

Not the easiest patch up I've had to do .. in fact, the worst!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Carl Von Stetten
Guide ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

In Response To ACS LLC

Upgrading to CF10 will eliminate most of the headaches with patches and security fixes.  A couple of clicks inside CF Administrator installs most updates.

-Carl V.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ACS LLC
Enthusiast ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

In Response To Carl Von Stetten

I don't want to do anything that might rock the boat with all the existing currently working code, with Adobe you just never know what they might decide to throw in as a change that stops things working

The P.i.t.a. now is that I've done the CHF4 and the 3 hot fixes listed on here

http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security

but it's difficult to understand if I've already applied some of the fixes on here, or if I have to place more of them and which ones

http://helpx.adobe.com/security/products/coldfusion.html

"

Note: Changed Date 12/07/2009. Added more information regarding Security fixes. " suggests that info on the page has been updated but security fixes not added, but it's hardly clear.

Looks like I have to take the server down, and keep cutting and pasting files all over the place, like I'm part of an alpha Q.A. team

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Carl Von Stetten
Guide ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

In Response To ACS LLC

Since CF10 Developer Edition is free (which is what the trial version turns into after it expires), why not install it on a spare desktop box and test your application on it?  Then, if everything works or only minor fixes are necessary to make it work, upgrade to CF10 and eliminate all of the pain?

-Carl V.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ACS LLC
Enthusiast ,
Mar 14, 2014 Mar 14, 2014

Copy link to clipboard

Copied

LATEST
In Response To Carl Von Stetten

Certainly a thought. Pick my poison, spend hours trying to put all these patches in place, or spend time installing a new version, and then MAYBE hours fixing lots of web sites.. urgh

It really sucks, most definately the worst update system ever, the poorly written instructions don't help

I've got that list of installs from 2007 onwards but it's not clear now, if I start installing them am I going to screw up the work I just did. Another one says if I installed the previous one already do xyz.. but do I install the previous one or does the last one overwrite it, it's all highly unclear, and frustrating

I had a quick look through them and didnt see anything that clearly tackled the problem of the admin hack

http://www.youtube.com/watch?v=CzXLLZ8ohZU

I feel a break time coming on!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices