G'day:
Hey, I'm not going to go into too much detail, but this is in reference to the recent security hole in ColdFusion that did the rounds a few weeks back.
One thing to consider is that simply putting the patch on (CF9 + CF10), or manually tightening up security (earlier versions of CF) is not all you have to do.
Showing posts with label Charlie Arehart. Show all posts
Showing posts with label Charlie Arehart. Show all posts
Tuesday 5 February 2013
Friday 4 January 2013
That CFIDE security hole in ColdFusion? It's SERIOUS. So check into it NOW!
G'day:
I didn't bother writing anything about this new security problem with CF, as everyone else seems to have covered the important info already.
If you're not up to speed, read all of this lot:
I am only commenting now because I have just read about people stating "oh... maybe I should get around to looking at this?"
FFS. It's a really really really serious security hole which is easy to exploit, and a lot of people have found they have been exploited. This is not some esoteric in-theory-only issue. And now that basically there are instructions of how to do it in the public domain, the risk increases.
If you have not verified you're not exposed, you are being professionally negligent.
So stop whatever you are doing and verify your externally-exposed servers are safe.
Don't piss about, and don't "do it later".
Also, if you know ColdFusion dev / admin people who don't read blogs, follow the community on Twitter and possibly won't know about this: get in touch with them (email, phone, etc).
Cheers.
--
Adam
I didn't bother writing anything about this new security problem with CF, as everyone else seems to have covered the important info already.
If you're not up to speed, read all of this lot:
- Initial report on the Adobe forums
- Charlie's first tranche of investigation/feedback
- Charlie's second tranche of investigation/feedback
I am only commenting now because I have just read about people stating "oh... maybe I should get around to looking at this?"
FFS. It's a really really really serious security hole which is easy to exploit, and a lot of people have found they have been exploited. This is not some esoteric in-theory-only issue. And now that basically there are instructions of how to do it in the public domain, the risk increases.
If you have not verified you're not exposed, you are being professionally negligent.
So stop whatever you are doing and verify your externally-exposed servers are safe.
Don't piss about, and don't "do it later".
Also, if you know ColdFusion dev / admin people who don't read blogs, follow the community on Twitter and possibly won't know about this: get in touch with them (email, phone, etc).
Cheers.
--
Adam
Friday 16 November 2012
"Too-hard basket"
G'day:
Yesterday I nudged my readers about the survey I'm doing about CFScript improvements in CF11. I had some feedback overnight from Charlie (in the comments below) and another person saying much the same thing: the survey is a bit hard to fill out. Indeed the anonymous comment in the survey answers was precisely:
Update:
This survey is now complete. The results can be found here.
This survey is now complete. The results can be found here.
Yesterday I nudged my readers about the survey I'm doing about CFScript improvements in CF11. I had some feedback overnight from Charlie (in the comments below) and another person saying much the same thing: the survey is a bit hard to fill out. Indeed the anonymous comment in the survey answers was precisely:
God that was hard to complete. You should have grouped tags from the same family into one. e.g. all the cfform tags as 1 option.
Subscribe to:
Posts (Atom)