Vulnerabilities found in Adobe ColdFusion

ITS Advisory Number: 
2013-111
Date(s) Issued: 
Wednesday, November 13, 2013
Subject: 
Vulnerabilities found in Adobe ColdFusion
Overview: 

Vulnerabilities have been discovered in Adobe ColdFusion that could permit a remote authenticated user to execute reflective cross site scripting attacks as well as a vulnerability that could permit unauthorized remote read access. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications.  Successful exploitation could result in an attacker gaining access to sensitive information.

Systems Affected: 
  • Adobe ColdFusion 10
  • Adobe ColdFusion 9.0.2
  • Adobe ColdFusion 9.0.1
  • Adobe ColdFusion 9
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High (If running ColdFusion server at home)
Description: 

Two vulnerabilities have been found in Adobe ColdFusion for Windows, Macintosh and Linux.  The first vulnerability is a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed.  The second vulnerability (CVE-2013-5328) is in ColdFusion 10 and could permit unauthorized remote read access. Successful exploitation could result in an attacker gaining access to sensitive information.

Actions: 
  • Install the updates provided by Adobe immediately after appropriate testing
  • Block external access to the following folders
References: 
Adobe:
http://www.adobe.com/support/security/bulletins/apsb13-27.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-27.html
ColdFusion 9 Lockdown Guide
-
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
ColdFusion 10 Lockdown Guide
-
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf
Secunia:
http://secunia.com/advisories/55624/
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5328