Copy link to clipboard
Copied
I was looking at CF8 server vunerabilities, such as this one http://www.youtube.com/watch?v=CzXLLZ8ohZU where a user can easily get into the CF admin, add a shell and then basically do what they heck on our server.
Can anybody tell me how to make sure that this particular vunerability has been taken care of, is it part of a particular service pack, when I say service pack I mean cummulative hot fix, like CHF 4 http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html
CHF is just another term for a service pack I guess, and CHF 4 appears to be the last cummulative fix up.
My only concern is that if we had been compromised that even a hotfix would not remove any shells, although I could not find any, I am not a hacker, and those guys are very good at hiding things.
Ahh..after posting this I then saw the link to security
http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security
It looks like quite a bit of work, no wonder so many people jumped ship from CF
Appreciate any guidance on this
Thanks
Mark
Copy link to clipboard
Copied
Hi Mark, The CHF does contain security fixes, but not all of them, you need to check out: http://helpx.adobe.com/security/products/coldfusion.html for a list of all the security patches and make sure you have applied them all.
If you keep your server updated it isn't too hard to manage, CF10 has improved this process a great deal with the hotfix installer. CF8 is no longer supported by Adobe, so if you are still on CF8 you might want to upgrade to CF9 or CF10 so you have all the latest security hotfixes.
Finally my company makes a product that helps you see what patches you have applied and which ones you need to apply called HackMyCF.
Copy link to clipboard
Copied
Funny enough I did try the hackmyCF earlier today, things didn't look TOO bad
I just did the CHF 4, and 1 security fix out of the 3
I guess that these are all I need to do?
http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security
I'll take a look at your link when I've done the other two
Applying patches and security fixes is like performing surgery! Every time I wonder.. is the CF going to start back up!
Not the easiest patch up I've had to do .. in fact, the worst!
Copy link to clipboard
Copied
Upgrading to CF10 will eliminate most of the headaches with patches and security fixes. A couple of clicks inside CF Administrator installs most updates.
-Carl V.
Copy link to clipboard
Copied
I don't want to do anything that might rock the boat with all the existing currently working code, with Adobe you just never know what they might decide to throw in as a change that stops things working
The P.i.t.a. now is that I've done the CHF4 and the 3 hot fixes listed on here
http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-4-coldfusion.html#main_Security
but it's difficult to understand if I've already applied some of the fixes on here, or if I have to place more of them and which ones
http://helpx.adobe.com/security/products/coldfusion.html
"
Note: Changed Date 12/07/2009. Added more information regarding Security fixes. " suggests that info on the page has been updated but security fixes not added, but it's hardly clear.
Looks like I have to take the server down, and keep cutting and pasting files all over the place, like I'm part of an alpha Q.A. team
Copy link to clipboard
Copied
Since CF10 Developer Edition is free (which is what the trial version turns into after it expires), why not install it on a spare desktop box and test your application on it? Then, if everything works or only minor fixes are necessary to make it work, upgrade to CF10 and eliminate all of the pain?
-Carl V.
Copy link to clipboard
Copied
Certainly a thought. Pick my poison, spend hours trying to put all these patches in place, or spend time installing a new version, and then MAYBE hours fixing lots of web sites.. urgh
It really sucks, most definately the worst update system ever, the poorly written instructions don't help
I've got that list of installs from 2007 onwards but it's not clear now, if I start installing them am I going to screw up the work I just did. Another one says if I installed the previous one already do xyz.. but do I install the previous one or does the last one overwrite it, it's all highly unclear, and frustrating
I had a quick look through them and didnt see anything that clearly tackled the problem of the admin hack
http://www.youtube.com/watch?v=CzXLLZ8ohZU
I feel a break time coming on!