Adobe ColdFusion Authentication Bypass (APSB13-03)
Critical Nessus Plugin ID 64689
SynopsisA web management interface running on the remote host is affected by an authentication bypass vulnerability.
DescriptionThe version of Adobe ColdFusion running on the remote host is affected by an authentication bypass vulnerability. When RDS is disabled and not configured with password protection, it is possible to authenticate as an administrative user without providing a username or password. A remote, unauthenticated attacker can exploit this to gain administrative access to the ColdFusion Administrator interface. After authenticating, it is possible to write arbitrary files to the host, resulting in arbitrary code execution. This vulnerability is being exploited in the wild.
This version of ColdFusion is reportedly affected by several additional vulnerabilities; however, Nessus has not checked for those issues.
SolutionApply the appropriate hotfix referenced in Adobe security bulletin APSB13-03.