Re: Another NSE to detect Coldfusion servers vulnerable to APSA13-01

[David Fifield <david () bamsoftware com>]

On Sun, Jul 14, 2013 at 02:18:45AM -0500, Paulino Calderon wrote:
> I wanted to share a quick script I had to write for a job where
> something interesting happened.
>
> They were running Coldfusion 9.0.1 with all patches and hotfixes but
> yet they still got compromised. After reviewing logs it was obvious
> that the vulnerability used was the one marked as APSA13-01
> (http://www.adobe.com/support/security/advisories/apsa13-01.html). I
> wasn't sure what was happening since the version banner at the
> administration panel showed that Coldfusion had all the patches. I
> reviewed the installation process of the corresponding hotfix
> (http://www.adobe.com/support/security/bulletins/apsb13-03.html) to
> make sure all patched files were installed correctly and to my
> surprise everything was there. The services were restarted too yet
> Nmap kept telling me the host was vulnerable.
>
> Turns out that Adobe forgot to mention that you also need to visit
> the administration panel and go to Security->RDS and reset the
> password (even if RDS is disabled like it was in this case) to
> complete the installation of the patch. My guess is that there are
> other system administrators who might have overlooked this and might
> find the script useful.

That's an interesting story. The script looks fine to me.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/