Issue

The ColdFusion MX 7 AdminAPI allows you to create CFML that duplicates all functionality of the ColdFusion administrator. All access to the AdminAPI should start with an authentication function to keep ColdFusion secure. Methods exist that call the AdminAPI without first calling this authentication function.

Solution

Adobe has released a security bulletin that includes a patch to resolve this issue. Download the ZIP file to your ColdFusion server and install the update as follows:

Windows:

Unzip the file into the webroot where /CFIDE/administrator exists. Generally, this is \inetpub\wwwroot on Windows running IIS. Make sure the 'Use Folder Names' option is checked.

Confirm that all of the *.CFC files in /CFIDE/adminapi directory have been updated.

Linux and Solaris:

Extract using the unzip command.

unzip -d web_root HF702-APSBO6-11.zip

For example: unzip -d /opt/apache2/htdocs HF702-APSBO6-11.zip

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy