Added on 09 Jul 2009(436 Views)
Adobe has released a patch for an exploitable vulnerability affecting ColdFusion, Adobe’s commercial Rapid Application Development platform. ColdFusion web sites may become compromised because there is a vulnerability in FCKEditor that a person with malicious intent can exploit; and according to the California-based company that specializes in creating multimedia and creativity software products that is precisely what is happening – the vulnerability is being actively exploited.“A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild,” explains the security bulletin that Adobe released in response to the ColdFusion vulnerability report.
The following software versions are affected by this vulnerability: ColdFusion 8 and ColdFusion 8.0.1. Adobe advises that all affected ColdFusion customers update to ColdFusion 8.0.1 and then apply the hot fix the company released. This process includes a few simple steps, detailed below:
1. First of all update to ColdFusion 8.0.1, then download and unzip the hot fix.
2. Open the ColdFusion Administrator and using the System Information page, apply the hot fix.
3. Backup the /CFIDE/scripts/ajax/FCKeditor folder. Do this outside the webroot.
4. Download this CFIDE.zip file and unzip it. Merge this CFIDE folder with the CFIDE already in place in the webroot. When prompted, overwrite the files in the existing CFIDE folder.
5. Delete these files: cf5_upload.cfm and cf5_connector.cfm. You will find them in cfwebroot\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm
6. Restart ColdFusion.
“A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This hotfix updates the version of FCKEditor included with ColdFusion 8, turns off file upload capabilities by default, restricts access to cfm files in the FCKeditor\editor\filenamanger directory, and limits file upload capabilities to users with valid sessions. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild,” added Adobe.
Don't forget to:
RSSTags: Adobe, ColdFusion, Security, Vulnerability
Link to this article:
Add comment:
Software News
Wolfram Alpha App 1.1 with Better Specialized Keyboards
The team behind computational knowledge engine Wolfram Alpha announced the release of an iPhone specific app last year, in October. The one thing that people complained about at the time...
The team behind computational knowledge engine Wolfram Alpha announced the release of an iPhone specific app last year, in October. The one thing that people complained about at the time...
09 Feb 2010
Linus Shows Nexus One Some Love, Google Shows Nexus One Users Some Love
Linus Torvalds, the father of Linux, says that when he got the original Google Phone, the G1, he was unimpressed. At the time Google gave him the device – that what I meant by “he got the G1”. Linus, who says...
Linus Torvalds, the father of Linux, says that when he got the original Google Phone, the G1, he was unimpressed. At the time Google gave him the device – that what I meant by “he got the G1”. Linus, who says...
09 Feb 2010
Google Superbowl Ad Draws Attention to the Need for Privacy
Back in January, on International Data Privacy Day, Mountain View-based search engine giant drew attention to its guiding privacy principles. In case you’re not familiar with...
Back in January, on International Data Privacy Day, Mountain View-based search engine giant drew attention to its guiding privacy principles. In case you’re not familiar with...
09 Feb 2010
Free Software Alert: EASEUS Partition Master Professional Edition 5.0.1
The latest release of EASEUS Partition Master Professional Edition is version 5.0.1, and the company that developed the software is now giving it away for free. But you need to hurry up. This is a time limited offer...
The latest release of EASEUS Partition Master Professional Edition is version 5.0.1, and the company that developed the software is now giving it away for free. But you need to hurry up. This is a time limited offer...
09 Feb 2010
MSN Games and Windows Live Messenger Welcome FarmVille
The short description of FarmVille is this: “FarmVille is a game where you can farm with your friends.” Basically you get a plot of land and you have to plant crops, harvest them, make money to buy...
The short description of FarmVille is this: “FarmVille is a game where you can farm with your friends.” Basically you get a plot of land and you have to plant crops, harvest them, make money to buy...
09 Feb 2010
Bill Cosby Is Not Dead, Just the Victim of Malware Spreaders
It’s the Kanye West and Johnny Depp story all over again. People with malicious intent have started a rumor that popular comedian and actor Bill Cosby, 72, died of natural causes, in his chair at home....
It’s the Kanye West and Johnny Depp story all over again. People with malicious intent have started a rumor that popular comedian and actor Bill Cosby, 72, died of natural causes, in his chair at home....
09 Feb 2010
Recommended Tools
Registry Booster 2010 Enhanced, deeper and faster error scan performance. Now also in 5 languages! Free Scan
Driver Scanner 2009
Fast and easy, it boosts performance by scanning for, downloading & installing driver updates
Fast and easy, it boosts performance by scanning for, downloading & installing driver updates
SpeedUpMyPC 2009
How fast is your PC really running? Turbo-charge your Internet and PC performance here
How fast is your PC really running? Turbo-charge your Internet and PC performance here
Nero Burning ROM
LimeWire Basic
Yahoo! Messenger
Winamp
Mozilla Firefox
eMule
BitComet
iTunes
Google Earth
uTorrent