Still?
Blimey, I thought we'd spotted and ironed out all these types of problems back when FrontPage Server Extensions were in the wild!
A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software. In a bulletin published last week, Adobe rated the directory traversal …
We used to have a very short list of banned applications that customers were not allowed to install on managed OS servers in our data centre because they presented an unnaceptable risk to other customers and our infrastructure. It was not that those apps on the list presented security vulnerabilities but that they actually were security vulnerabilities, every app on the list was top in its category for being fundamentally and irreparably insecure from the ground up, no point wasting anyones time trying to secure it.
The list was:
1) coldfusion
end list
This vulnerability won't affect those using ColdFusion who KNOW how to secure the server. Basically all of the directories under CFIDE need to be inaccessable to the Internet or IP secured, apart from essential files that are expected to be served to clients. The experienced CF users would have done that straight after installing it.
Like any server side service it can be a chink in the armour if you don't know what you're doing with it.
Adobe were quick to release a hotfix for those who haven't tightened things down, but I echo the criticism that they failed to emphasise the critical nature of it. The Reg has done CF users and system administrators a service by pressing the fire alarm button.
@The Cube - your list must have been drawn up by someone who doesn't have much experience with ColdFusion. I have a list of dangerous things not to drive: an articulated lorry, a ferry, and a fighter jet. Needless to say I'm clueless about these but those who specialise in driving/piloting them do so very safetly.
I used a bit of CF back in 2002 and before, I loved it.
The way that custom tags flow together and work was absolute magic. Its got a strong set of libaries and if I rember at all correctly, is highly scaleable.
The main reasons not to use it now for me, is its so much more expensive than ASP.net, and I love that even more. Still I think if you had alot of CF stuff set up, and had stumped up the licencing for it then it would make a great system.
Cost has been CF's biggest problem, when most competing platforms are free.
In its favour is it's very quick to develop and maintain web apps. Scaling is great and server management is a breeze.
We're mostly a Java shop now but we've still got about 20 CF servers in production. Our or our customers' sysadmins look after Windows updates but the CF side is managed (very well) by developers.
I've very fond memories of ColdFusion but I'd not want to look for a job without something else on my CV
I'm a CF developer, and it's an incredibly strong language with a very easy to learn basic syntax right up to AJAX, mapping, graph, PDF support, LDAP, MS Exchange.. etc. etc. built in. Some of these make it an excellent choice for intranet apps rather than public facing ones. (Direct printing of PDF created reports or invoices for instance)
On my production servers I have these directories closed off unless I need to log in, which I then promptly turn off after I've done what needs to be done.
Fair point that it is more expensive than a standard LAMP setup, but in the right hands the RAD it provides far outweighs the cost.
I'm a Coldfusion evangelist, I basically think its great. It is a robust extensible scripting language that allows you to build and deploy applications quickly and easily. It also integrates very well with most other web based languages.
I also think that its a great thing that these sort of things are brought out into the open. Then there is more pressure for hotfixes to be built and released.
Coldfusion is relatively mature now (ok not as mature as perl or python) but it makes .net look like an infant in 'Years' out in the wild. I think if you count the historic instances where you've seen an article like this addressing CF security issues you'll find it to be a lot less than some other server side layers.
I strongly agree with other comments made here, installing any software as 'Vanilla' and leaving it in an out-of-the-box configuration is asking for trouble. Learn to secure your environment whatever it is.
Its not perfect, but then what web technology is?
its all about the administrator. how well he can secure the server. i havent done much CF anymore. but i still think its great. php, perl, java, all web languages gets security patches now and then.
nothing on earth will ever be perfect. especially web techs. but most important thing is to share what we know so we can fix it or take proper precautions. unlike adobe...