Researchers at ProCheckUp were able to access every file -- including usernames and passwords -- from a server running ColdFusion by using a directory traversal and file retrieval flaw found within ColdFusion Administrator, the administration program for ColdFusion servers. A standard Web browser was used to carry out the attack, and no knowledge of the admin password was needed.
According to Adobe's website, ColdFusion is used by Bank of America Corp., JPMorgan Chase & Co., The Federal Reserve Bank and The United State Senate, as well as IT security companies Symantec Corp. and McAfee Inc.
Brain said his research showed that between 10 million and 20 million websites are written using ColdFusion and are configured using a typical ColdFusion admin page. "According to our research, 35% to 40% of those companies using ColdFusion have the administration page exposed, which could allow someone to read any file on the file server," Brain said.
ProCheckUp informed Adobe of the vulnerability in April, and on Aug 10 the company produced a patch. "Adobe has been extremely good. They have worked very fast compared with some companies," Brain said. Procheckup has released an advisory about the vulnerability and will delay publication of the actual exploit code for seven days to allow administrators to apply patches.
But Brain warned that while Adobe's patch applied to versions 8 and 9 of ColdFusion, most users still appear to be on versions 5, 6 and 7, for which a patch has not been released.
"It is an absolutely huge vulnerability. You are looking at about 10 to 20 million websites that can easily be defaced by using it," he said. "I would advise anyone running ColdFusion 7 or below to prevent access to the ColdFusion administrator directory. That means changing the Web server console settings to prevent access to the CFIDE directory."