Adobe patches ColdFusion vulnerability blocking website attack |
 |
By SearchSecurity.com Staff
09 Jul 2009 | SearchSecurity.com |
|
|
|
| SearchSecurity.com: |
| To get security news and tips delivered to your inbox, click here to sign up for our free newsletter. |
|
|
|
|
Adobe Systems Inc. has issued a patch fixing a vulnerability in its ColdFusion application development platform that left many websites at risk of intrusion.
The patch addresses ColdFusion security by turning off an uploading feature enabled by default blocking any attempt by a hacker to conduct a website attack.
According to the Adobe security bulletin, a vulnerability existed in FCKeditor, which is installed by default in ColdFusion 8. If left unpatched, the vulnerability could allow a remote attacker to upload files in arbitrary directories and ultimately lead to a system compromise.
|
| ColdFusion vulnerability: |
| Adobe ColdFusion websites being compromised: Popular websites run by Simon & Schuster, Crayola, FAO Schwarz and others could be at risk. A flaw in the ColdFusion rich text editor is being actively exploited, Adobe says. |
|
|
|
|
"Adobe categorizes this as a critical issue and recommends affected users patch their installations," the software maker said in the security bulletin.
There were reports of limited attacks against some websites developed using ColdFusion. The SANS Internet Storm Center reported last week that attackers have been exploiting websites.
"The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server," wrote Bojan Zdrnja, a SANS ISC handler.
Adobe issued a hot fix to address the issue. The update turns off file upload capabilities by default and restricts access to cfm files in the FCKeditor filemanager directory. The fix can be applied using the ColdFusion Administrator.
|
|
|
|
