Adobe Fixes Bug in ColdFusion, Preventing Website Hack

Software maker Adobe Systems Inc. has released an update to patch a security flaw in its ColdFusion platform for application development.

The patch takes care of ColdFusion security by deactivating an uploading utility. It also prevents an attacker from carrying out a website hack.

Understandably, hackers, apart from exploiting general ColdFusion installations, depend on third party software like CFWebstore that could arrive packed with FCKEditor.

In an advisory from the US-CERT, it is said that the FCKEditor flaw emerged as a result of incorrect verification of input given to the 'CurrentFolder' feature.

Adobe said in its security bulletin that it categorized the current issue as 'critical' and therefore advised users to apply the patch as quickly as possible, as reported by SEARCHSECURITY on July 9, 2009.

Nevertheless, sometime back Adobe stated that it knew about hijacking of ColdFusion-based Internet sites via a bug in the rich-text editor of FCKEditor, said Adobe product security program manager. He further added that Adobe was currently developing a fix that would likely be released soon.

Adobe suggests turning off connectors, deleting unused CFM folders from the connector directory of FCKEditor and taking care of already uploaded files to avoid possibilities of website hack.

There are some reports that certain websites developed with the ColdFusion software had been hacked. The flawed systems let hackers upload ColdFusion shells or ASP that further empower them to fully compromise the server.

Moreover, the companies for Internet security earlier observed that a large number of websites using ColdFusion had been hijacked. At that time, the attacks added <script> labels to files on those sites.

Internet security company 'Trend Micro' said that during early July, 2009, it had observed one more surge of hijacked sites commonly running ColdFusion.

However, users complained that the success of the attack was due to earlier versions of some ColdFusion applications that contained security loopholes and allowed attackers to upload their malicious codes and run them on already compromised servers. Subsequently, online miscreants altered the hijacked websites to embed in them iFrame links that connected to their own malicious sites.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 7/29/2009