Adobe plans ColdFusion fix in wake of web attacks

View this article at: http://www.macnn.com/articles/09/07/06/coldfusion.sec.fix.soon/

Monday, Jul 06, 2009 11:55am

Adobe plans ColdFusion fix in wake of web attacks

A ColdFusion 8 security fix is due to be released this week, says Adobe. Targeted in the patch is a problem with FCKEditor, an open-source application that comes bundled with the ColdFusion suite. The software permits file uploads and management, features which are supposed to be disabled on a ColdFusion server; the connectors can sometimes remain active however, creating a vulnerability. Knowledgeable hackers can call up FCKEditor's file manager, and use it to upload files and gain control of a server.

The SANS Internet Storm Center notes that the threat is more than theoretical, as a "high number" of websites based on ColdFusion have already been attacked. "The attacks we've been seeing in the wild end up with inserted < script > tags into documents on compromised Web sites," says ISC member Bojan Zdrnja. "As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients."

Aside from exploiting standard ColdFusion installations, hackers are also said to be relying on third-party software such as CFWebstore, which can come bundled with FCKEditor. As a temporary solution Adobe recommends disabling connectors manually, removing unused CFM files in FCKEditor's connectors directory, and taking stock of files that have already been uploaded.