Article

Adobe patches ColdFusion vulnerability blocking website attack

SearchSecurity.com Staff

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Adobe Systems Inc. has issued a patch fixing a vulnerability in its ColdFusion application development platform that left many websites at risk of intrusion.

The patch addresses ColdFusion security by turning off an uploading feature enabled by default blocking any attempt by a hacker to conduct a website attack.

According to the Adobe security bulletin, a vulnerability existed in FCKeditor, which is installed by default in ColdFusion 8. If left unpatched, the vulnerability could allow a remote attacker to upload files in arbitrary directories and ultimately lead to a system compromise.

ColdFusion vulnerability:
Adobe ColdFusion websites being compromised: Popular websites run by Simon & Schuster, Crayola, FAO Schwarz and others could be at risk. A flaw in the ColdFusion rich text editor is being actively exploited, Adobe says.

"Adobe categorizes this as a critical issue and recommends affected users patch their installations," the software maker said in the security bulletin.

There were reports of limited attacks against some websites developed using ColdFusion. The SANS Internet Storm Center reported last week that attackers have been exploiting websites.

"The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server," wrote Bojan Zdrnja, a SANS ISC handler.

Adobe issued a hot fix to address the issue. The update turns off file upload capabilities by default and restricts access to cfm files in the FCKeditor filemanager directory. The fix can be applied using the ColdFusion Administrator.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: