Allaire ColdFusion Undocumented CFML Tags Vulnerability

Solution:
From the Allaire advisory:

Allaire has released a patch that allows administrators of servers hosting multiple applications to disable the undocumented tags and functions using registry settings. To perform server administrative functions, administrators can temporarily re-enable the administrative tags and functions, and disable them again when administrative tasks are complete.

ColdFusion Admin Functions and Tags Patch for 4.01 Professional (Windows NT)
http://www.allaire.com/coldfusion.cfm?web_ID=846

ColdFusion Admin Functions and Tags Patch for 4.01 Enterprise (Windows NT)
http://www.allaire.com/coldfusion.cfm?web_ID=847

ColdFusion Admin Functions and Tags Patch for 4.01 Enterprise (Solaris)
http://www.allaire.com/coldfusion.cfm?web_ID=845

ColdFusion Admin Functions and Tags Patch for 4.01 Enterprise (HP-UX)
http://www.allaire.com/coldfusion.cfm?web_ID=848

ColdFusion Admin Functions and Tags Patch for 3.12 Professional (Windows NT)
http://www.allaire.com/coldfusion.cfm?web_ID=844

For international customers using the French, German or Japanese versions of ColdFusion 4.0, 4.01 of those versions will include this patch. French, German and Japanese versions of ColdFusion 4.01 are available through licensed VARS, resellers and directly from Allaire.

Allaire also recommends that server administrators follow the best practices for securing the ColdFusion Administrator documented in KB Article 10954 Security Best Practice: Securing the ColdFusion Administrator:
http://www.allaire.com/handlers/index.cfm?ID=10954&Method=Full



 

Privacy Statement
Copyright 2010, SecurityFocus