> My company is running CF8 on IIS. We have a website that doesn't get much > use inbetween biannual meetings. > I just noticed the following code that was inserted into one of the > subfolder's index.cfm files. I'm not seeing any > other changes in any other file (yet) and the server doesn't appear to have > taken a hit, but I'm not even sure what > this code is doing, how it got there, and whether it's harmful.
Any code that can write to your server's filesystem is potentially harmful. This code appears to do that, along with listing files on your filesystem and allowing viewers to download them. Both of these things are potentially harmful, unless you explicitly want to do that. > Next steps (other than yanking out the code, which I've already done)??? Why is CF allowed to write to the web root? If you prevent CF from writing files where it generally shouldn't, you can prevent a lot of these types of vulnerabilities. Preventing this may involve changing CF's login from SYSTEM to a non-privileged user in addition to setting filesystem permissions. I would recommend that you read the excellent CF 9 Lockdown Guide, which I think is still on the Adobe site. Then, do the things it says to do. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353745 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
