Adobe Releases Fix for Critical ColdFusion Vulnerability

Article by George Norman (Cybersecurity Editor)

on 09 Jul 2009

Adobe has released a patch for an exploitable vulnerability affecting ColdFusion, Adobe’s commercial Rapid Application Development platform. ColdFusion web sites may become compromised because there is a vulnerability in FCKEditor that a person with malicious intent can exploit; and according to the California-based company that specializes in creating multimedia and creativity software products that is precisely what is happening – the vulnerability is being actively exploited.

“A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild,” explains the security bulletin that Adobe released in response to the ColdFusion vulnerability report.

The following software versions are affected by this vulnerability: ColdFusion 8 and ColdFusion 8.0.1. Adobe advises that all affected ColdFusion customers update to ColdFusion 8.0.1 and then apply the hot fix the company released. This process includes a few simple steps, detailed below:

1. First of all update to ColdFusion 8.0.1, then download and unzip the hot fix.
2. Open the ColdFusion Administrator and using the System Information page, apply the hot fix.
3. Backup the /CFIDE/scripts/ajax/FCKeditor folder. Do this outside the webroot.
4. Download this CFIDE.zip file and unzip it. Merge this CFIDE folder with the CFIDE already in place in the webroot. When prompted, overwrite the files in the existing CFIDE folder.
5. Delete these files: cf5_upload.cfm and cf5_connector.cfm. You will find them in cfwebroot\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm
6. Restart ColdFusion.

“A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This hotfix updates the version of FCKEditor included with ColdFusion 8, turns off file upload capabilities by default, restricts access to cfm files in the FCKeditor\editor\filenamanger directory, and limits file upload capabilities to users with valid sessions. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild,” added Adobe.


Latest News


Sony's 'Attack of the Blockbusters Sale' Slashes Prices in Half for a Ton of PS4 Games

17 Aug 2017

How Samsung's New T5 Compares to the Old T3 Portable SSD (Infographic)

17 Aug 2017

See all