I didn't bother writing anything about this new security problem with CF, as everyone else seems to have covered the important info already.
If you're not up to speed, read all of this lot:
- Initial report on the Adobe forums
- Charlie's first tranche of investigation/feedback
- Charlie's second tranche of investigation/feedback
I am only commenting now because I have just read about people stating "oh... maybe I should get around to looking at this?"
FFS. It's a really really really serious security hole which is easy to exploit, and a lot of people have found they have been exploited. This is not some esoteric in-theory-only issue. And now that basically there are instructions of how to do it in the public domain, the risk increases.
If you have not verified you're not exposed, you are being professionally negligent.
So stop whatever you are doing and verify your externally-exposed servers are safe.
Don't piss about, and don't "do it later".
Also, if you know ColdFusion dev / admin people who don't read blogs, follow the community on Twitter and possibly won't know about this: get in touch with them (email, phone, etc).
Cheers.
--
Adam