Adobe Systems Inc. has issued a patch fixing a vulnerability in its ColdFusion application development platform that left many websites at risk of intrusion.
The patch addresses ColdFusion security by turning off an uploading feature enabled by default blocking any attempt by a hacker to conduct a website attack.
According to the Adobe security bulletin, a vulnerability existed in FCKeditor, which is installed by default in ColdFusion 8. If left unpatched, the vulnerability could allow a remote attacker to upload files in arbitrary directories and ultimately lead to a system compromise.
"Adobe categorizes this as a critical issue and recommends affected users patch their installations," the software maker said in the security bulletin.
"The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server," wrote Bojan Zdrnja, a SANS ISC handler.
Adobe issued a hot fix to address the issue. The update turns off file upload capabilities by default and restricts access to cfm files in the FCKeditor filemanager directory. The fix can be applied using the ColdFusion Administrator.