95% of the security issues that have come up lately have basically been
around the same thing, locking down those areas.
John
ma...@fusionlink.com
On 5/9/13 10:04 AM, Ajas Mohammed wrote:
Nevermind, Charlie has links (How to lock down the /adminapi,
/administrator, and /componentutils directories) in his blog post here
http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat
<Ajas Mohammed />
iUseDropbox(http://db.tt/63Lvone9)
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
On Thu, May 9, 2013 at 9:32 AM, Ajas Mohammed <ajash...@gmail.com
<mailto:ajash...@gmail.com>> wrote:
Does anyone have instructions for IIS 6.0 ?
<Ajas Mohammed />
iUseDropbox(http://db.tt/63Lvone9)
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
On Thu, May 9, 2013 at 3:54 AM, Frank Moorman
<stretch...@franksdomain.net <mailto:stretch...@franksdomain.net>>
wrote:
All,
In case you have not heard... Adobe mentioned this last night...
https://www.adobe.com/support/security/advisories/apsa13-03.html
Essentially, the believe the exploit is already out there and
is actively infecting systems.
However, it can be prevented through access controls on the
CFIDE admin directories.
AFFECTED SOFTWARE VERSIONS
ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh
and UNIX
MITIGATIONS
Adobe recommends ColdFusion customers take the following
steps to mitigate this vulnerability:
* Restrict public access to the CFIDE/administrator,
CFIDE/adminapi and CFIDE/gettingstarted directories by
following the hardening guidance in theColdFusion 9
Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
10 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>
* Refer to theColdFusion 9 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf>andColdFusion
10 Lockdown Guide
<http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf>for
security best practices and further information on these
hardening techniques.
This is the first I have heard of the CFIDE/gettingstarted
directory, so I am assuming that is only on CF10. Another
directory that should be protected but it not mentioned on
this exploit(but has been mentioned on others) is the
CFIDE/componentutils directory.
If needed/desired, I can share some simple .htaccess samples
for people that need to protect CF on an apache server...
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
