ColdFusion Zero day vulnerability : Remote File Disclosure of Password HashesYesterday Blackhatacademy Released Fully automated MySQL5 boolean based enumeration tool. Today Another post expose the most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the Administrator panel. The ColdFusion Administrator panel can then be used to write out a shell.
ColdFusion Markup Language is an interpreted language utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly LFD and SQLi. ColdFusion scripts are commonly run as an elevated user, such as NT-Authority\SYSTEM (Windows) or root (Linux), making them especially susceptible to web-based attacks.
Patching a ColdFusion instance from the LFD->Bypass->RCE exploit can only be done on ColdFusion 8. No other versions can be patched. That being said, the official Adobe patch can be downloaded here.