[antihero]

The ColdFusion hack...wow. How is CF engineered so badly? What person nowadays would still think to take paths of anything at all ever in the request parameters? I can sort of understand pre 2003 or something, but CF10 was released in 2012, for Pete's sakes.

Also makes you wonder, if there are holes like this, how many more holes like this are there? Especially if this is a pattern across the system.

[druiid]

There is a bunch of holes in CF like this. Look at their bug/security fix list for Coldfusion (Pretty much any version), and half of the security fixes are targeted to CFIDE based vulnerabilities. Any CF admin worth their salt disallows access to CFIDE as a matter of course.