This is not a new hack, it is simply explaining how the most recent
vulnerability worked, which has since been patched. Although that was a
gaping oversight in the adminapi.
It is also shocking how many hosts have their cfadmin public, even on their
own website. Yes I checked out of curiosity.


Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Apr 9, 2013 6:12 PM, "Dave Watts" <[email protected]> wrote:

>
> > FYI:
> >
> http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html
>
> Of course, if you block access to the CF Administrator and the admin
> API, as you should, exploits like this simply won't work. I'm pretty
> sure this is covered in the lockdown guides for CF 10 and CF 9.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
>
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355323
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to