Adobe just released Security Bulletin APSB08-21 for a ColdFusion privilege escalation issue. The issue described in Security Bulletin APSB08-21 is only applicable to your ColdFusion installation if you are using Sandbox Security. If you have configured a Sandbox to limit access to specific parts of the filesystem it may be possible to access information outside the Sandbox. This issue is particularly important for shared hosting servers because they are the most likely to have Sandbox Security enabled.
There are patches available for ColdFusion 7.0.2, 8.0.0 and 8.0.1. At Prisma IT we have been testing the patch for ColdFusion 8.0.1 for a while now and we have not found any side effects from applying it to our shared hosting servers.

If you are a ColdFusion user and this blog post is the first you read about this issue you really should subscribe to the Adobe Security Notification Service. You will get emails for all the important security updates from Adobe and it is an invaluable tool to staying on top of security.

12 Comments

  1. Brad Wood says:

    Pretty interesting. I wonder how the exploit is carried out. I also don’t neccessarily expect that information to be public either. :)

    Security patches don’t seem to be that common with CF. I’m not 100% sure if that is becuase CF generally so rock solid or becuase there just aren’t enough prying eyes trying to exploit it.

  2. Tom Chiverton says:

    The attack surface of a CF application is generally low to, of course.

  3. Jochem says:

    Considering the nature of the Sandbox Security issues I have so far personally reported to Adobe I am leaning towards a lack of prying eyes. For the issue described in MPSB01-11 the engineers told me I was probably the only one in the world using the combination of features that caused the issue.

  4. Matt Quackenbush says:

    Jochem,

    A user on the Sava forums indicated that installing this patch caused all of his SQL Server connections to now require credentials to be passed with the tag. I can’t fathom that being the intended behavior. I would be interested in your thoughts.

    http://www.gosava.com/sava/forum/messages.cfm?threadid=74390482-F355-D392-F9B164567059F345&page=1

    Thanks. :-)

  5. Jochem says:

    All our SQL Server datasource connections work correctly without passwords in every query. That is on CF 8.0.1 Enterprise in multiserver configuration though.

  6. Matt Quackenbush says:

    @ Jochem- Thanks. That is exactly what I would expect.

  7. Josh Adams says:

    Thanks for your help in identifying and resolving this issue, Jochem!

  8. Sebastiaan says:

    Hi Jochem,

    I got our hostingprovider Webstekker to install this hotfix on their webservers (shared hosting) and it jammed up all the CF 8.0.1 installations. Any ideas to why? It suddenly asked for credentials in IIS. Not really related, I know, but CF8 with the hotfix installed all crashed regularly.

  9. Jochem says:

    I find it very hard to believe that IIS suddenly asking for credentials can be related to the hotfix. Just think about how ColdFusion is really an application server that stands alone and runs in its own memory space. Only a very small part is loaded into the webserver, the webserver connector in the wsconfig diectory. The only way IIS is ever going to give a credentials error is if there is a credential problem in that webserver connector part. The hotfix does not alter the connector so it is not the cause of the IIS credentials errors.

    Apart from that I have recently helped somebody move away from Webstekker because of the security configuration of their servers. This hotfix is really the least of their problems.

  10. Sebastiaan says:

    So what was your issue with Webstekker? Maybe you can enlighten me off-site (privately via e-mail). I’m VERY happy with Webstekker at the moment.

  11. Jochem says:

    I’ll be publishing a number of articles about shared hosting security shortly. Those articles should provide plenty of examples on how to exploit shared ColdFusion hosting from the inside. I just have to finish the editing and clean up the example code.

  12. “it could be bunnies” » Blog Archive » Shared hosting security wishlist says:

    [...] I have posted a number of posts on the state of shared hosting security. Unfortunately we have to conclude [...]