Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 do not properly check the "rdsPasswordAllowed" field when accessing the Administrator API CFC that is used for logging in. The login function never checks if RDS is enabled when rdsPasswordAllowed="true". This means that if RDS was not configured, the RDS user does not have a password associated with their username. This means by setting rdsPasswordAllowed to "true", we can bypass the admin login to use the rdsPassword, which in most cases, is blank. These details were purchased through the Packet Storm Bug Bounty program and are being released to the community.
8267635397115a7b25f386e8ba0802efb22e55b7e7adf3d4e3cdb5c91b1eb2f6
This Metasploit module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03 including arbitrary command execution in scheduleedit.cfm (9.x only), directory traversal, and authentication bypass issues.
fc81458d632a151d75dbee734ef554512dc7bbdc7f0bfbae5d6c44fcafa675bf