This is not a new hack, it is simply explaining how the most recent vulnerability worked, which has since been patched. Although that was a gaping oversight in the adminapi. It is also shocking how many hosts have their cfadmin public, even on their own website. Yes I checked out of curiosity.
Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 9, 2013 6:12 PM, "Dave Watts" <[email protected]> wrote: > > > FYI: > > > http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html > > Of course, if you block access to the CF Administrator and the admin > API, as you should, exploits like this simply won't work. I'm pretty > sure this is covered in the lockdown guides for CF 10 and CF 9. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355323 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

