80 million websites could be compromised due to a flaw in Adobe ColdFusion

As many as 80 million websites could easily be compromised due to a flaw in Adobe's ColdFusion programming language.

Users of Adobe's ColdFusion programming language are at risk of losing control of their applications and websites, according to penetration testing company ProCheckUp.

It said that it was able to access every file from a server running ColdFusion and harvest usernames and passwords. It said that this was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator.

A competent attacker would be able to steal files from the server and gain access to secure areas and eventually modify content or shut down the website or application, according to the company.

Richard Brain, co-founder of ProCheckUp, claimed that a standard web browser was used to carry out the attack and knowledge of the admin password is not needed.

He said: “This is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for 'inurl:index.cfm', it found over 80 million examples of sites using ColdFusion.”

ProCheckUp has released an advisory relating to this flaw, though it will not publish the exploit code for seven days to give administrators time to apply the Adobe patches. A patch was released on the 10th August with Adobe categorising it as an ‘important' update and recommending that users apply the latest update for their product installation.

Brain said that ProCheckUp felt it was unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches.

Sign up to our newsletters