mailing list archives
Re: Another NSE to detect Coldfusion servers vulnerable to APSA13-01
From: David Fifield <david () bamsoftware com>
Date: Sun, 14 Jul 2013 22:34:34 -0700
On Sun, Jul 14, 2013 at 02:18:45AM -0500, Paulino Calderon wrote:
I wanted to share a quick script I had to write for a job where
something interesting happened.
They were running Coldfusion 9.0.1 with all patches and hotfixes but
yet they still got compromised. After reviewing logs it was obvious
that the vulnerability used was the one marked as APSA13-01
wasn't sure what was happening since the version banner at the
administration panel showed that Coldfusion had all the patches. I
reviewed the installation process of the corresponding hotfix
make sure all patched files were installed correctly and to my
surprise everything was there. The services were restarted too yet
Nmap kept telling me the host was vulnerable.
Turns out that Adobe forgot to mention that you also need to visit
the administration panel and go to Security->RDS and reset the
password (even if RDS is disabled like it was in this case) to
complete the installation of the patch. My guess is that there are
other system administrators who might have overlooked this and might
find the script useful.
That's an interesting story. The script looks fine to me.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/