By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Adobe today released emergency updates that fix a critical vulnerability for the ColdFusion web app development platform. The bug can lead to arbitrary code execution and has been exploited in the wild. The security issue allows an attacker to bypass restrictions for uploading files. To take advantage of it, the adversary has to be able to upload executable code to a directory of files on a web server. The code can then be executed via an HTTP request, Adobe says in its security bulletin. All ColdFusion versions that do not have the current updates are affected by the vulnerability (CVE-2019-7816), regardless of the platforms, they are for. Charlie Arehart, an independent consultant credited for reporting the vulnerability, told us that he discovered the bug when it was used against one of his clients. If applying the latest updates is not possible at the moment, one method to mitigate the risk is to create restrictions for requests to directories that store uploaded files. Developers should also modify their code to disallow executable extensions and check the list themselves, as is recommended by the Adobe Coldfusion guidelines. They also add the option "Blocked file extensions for CFFile uploads" to the server settings menu to create a list of extensions that should not be uploaded by the cffile tag/functions. More complete details are posted on OUR FORUM.

 

GTranslate