Added on 06 Jul 2009(342 Views)
Adobe, the California-based company that specializes in creating multimedia and creativity software products, has announced that it is aware of a security vulnerability in ColdFusion, the commercial Rapid Application Development platform that was launched back in ’95. To be more precise Adobe has warned that web pages that have been set up with ColdFusion may become compromised due to a vulnerability in FCKEditor. “Adobe is aware of reports of ColdFusion websites being compromised through a vulnerability in the FCKEditor rich text editor, which is installed with ColdFusion 8. Adobe is working on an update to ColdFusion to resolve the issue, which we expect to make available next week,” explained David Leone, on behalf of the Adobe Product Security Incident Team (PSIRT).
There are some preventive security measures that you can employ to prevent your ColdFusion site from being compromised:
1. Disable connectors: set config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
2. Under editor/filemanager/connectors/cfm directory of the FCKEditor, remove unused cfm files.
3. Inspect FCKEditor for content that has already been uploaded.
According to the security experts and watchers at SANS Institute's Internet Storm Centre, numerous web pages have already been compromised via this ColdFusion vulnerability. SANS also states that the people behind these recently detected attacks may be the same ones that pulled similar attacks back in March – or at least they might be connected to them.
“There have been a high number of Cold Fusion web sites being compromised. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March,” explained SANS.
Don't forget to:
RSSTags: Adobe, ColdFusion, Security, Vulnerability
Link to this article:
Add comment:
Software News
Fun Friday Feature: Cry Translator iPhone App
I remember that some obscure school teacher once told me that speech separates man from beast. Now I always found that reasoning to be somewhat flawed. What about parrots? They can speak – sort of. Or...
I remember that some obscure school teacher once told me that speech separates man from beast. Now I always found that reasoning to be somewhat flawed. What about parrots? They can speak – sort of. Or...
06 Nov 2009
Chrome 3.0 and 4.0 Updated on the Stable and Dev Channel
The guys over at Google are keeping as busy, of not more so, as the guys over at Mozilla. While the Mozilla Foundation has recently released Firefox 3.6 Beta 1 and Firefox 3.5.5, Mountain View-based search engine giant Google ...
The guys over at Google are keeping as busy, of not more so, as the guys over at Mozilla. While the Mozilla Foundation has recently released Firefox 3.6 Beta 1 and Firefox 3.5.5, Mountain View-based search engine giant Google ...
06 Nov 2009
November 09 Patch Tuesday: 6 Security Bulletins, 15 Vulnerabilities
Next week’s first two days are already booked. On Monday, the 9th of November, we will be celebrating Firefox’s 5th anniversary. On Tuesday, we will focus on something less entertaining, mainly patching our...
Next week’s first two days are already booked. On Monday, the 9th of November, we will be celebrating Firefox’s 5th anniversary. On Tuesday, we will focus on something less entertaining, mainly patching our...
06 Nov 2009
Firefox 3.5.5 Update Released
The Mozilla Foundation has released another update for its browser, mainly Firefox 3.5.5. The update follows in the footsteps of Firefox 3.5.4, an update that was released about a week back...
The Mozilla Foundation has released another update for its browser, mainly Firefox 3.5.5. The update follows in the footsteps of Firefox 3.5.4, an update that was released about a week back...
06 Nov 2009
iTunes 9.0.2 Update Loves Apple TV 3.0 Software, Breaks Palm Pre Syncing (Again)
Cupertino-based software developer Apple has recently updated its digital media player iTunes to version 9.0.2. The update, which follows in the footsteps of iTunes 9.0.1 and iTunes 9.0, brings forth one significant new change...
Cupertino-based software developer Apple has recently updated its digital media player iTunes to version 9.0.2. The update, which follows in the footsteps of iTunes 9.0.1 and iTunes 9.0, brings forth one significant new change...
05 Nov 2009
Blacksn0w: Unlock Tool for the iPhone 3G and 3GS
Great news for iPhone 3G and iPhone 3GS users that updated the device to baseband version 05.11; or iPhone 3G and iPhone 3GS users that bought the device with an updated baseband. Original iPhone hacker...
Great news for iPhone 3G and iPhone 3GS users that updated the device to baseband version 05.11; or iPhone 3G and iPhone 3GS users that bought the device with an updated baseband. Original iPhone hacker...
05 Nov 2009
Recommended Tools
Registry Booster 2009
Clean, Repair and Optimize your PC with the #1 industry leading and award-winning utility
Clean, Repair and Optimize your PC with the #1 industry leading and award-winning utility
Driver Scanner 2009
Fast and easy, it boosts performance by scanning for, downloading & installing driver updates
Fast and easy, it boosts performance by scanning for, downloading & installing driver updates
SpeedUpMyPC 2009
How fast is your PC really running? Turbo-charge your Internet and PC performance here
How fast is your PC really running? Turbo-charge your Internet and PC performance here
Nero Burning ROM
LimeWire Basic
Yahoo! Messenger
Winamp
Mozilla Firefox
eMule
BitComet
iTunes
Google Earth
uTorrent