Fixing problems in ColdFusion security is not just knowing about ColdFusion, but also knowing about Databases and ODBC. Below are a few holes that have been found in various databases and some fixes that can save your site (hopefully).
Advisory: NT ODBC Remote Compromise - This is a 'feature' of the MS Jet Driver that allows VBA scripts to be run within a SQL statment being sent to Access.
- You can download this piece of 'medicine' that can be used to help secure your site against this hole
- After a number of tests, I've found that the full fix for this issue is to install MDAC 2.1 with all hotpacks. This removes the entire problem.
And the problem is even more dangerous than we thought. Check out this new advisory from RFP about this and a IIS RDS vulnerability.
RDS/IIS 4.0 Vulnerability and Script