Adobe Systems Inc. has issued a patch fixing a vulnerability in its ColdFusion application development platform that left many websites at risk of intrusion.
The patch addresses ColdFusion security by turning off an uploading feature enabled by default blocking any attempt by a hacker to conduct a website attack.
According to the Adobe security bulletin, a vulnerability existed in FCKeditor, which is installed by default in ColdFusion 8. If left unpatched, the vulnerability could allow a remote attacker to upload files in arbitrary directories and ultimately lead to a system compromise.
"Adobe categorizes this as a critical issue and recommends affected users patch their installations," the software maker said in the security bulletin.
There were reports of limited attacks against some websites developed using ColdFusion. The SANS Internet Storm Center reported last week that attackers have been exploiting websites.
"The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server," wrote Bojan Zdrnja, a SANS ISC handler.
Adobe issued a hot fix to address the issue. The update turns off file upload capabilities by default and restricts access to cfm files in the FCKeditor filemanager directory. The fix can be applied using the ColdFusion Administrator.
Source: http://www.searchsecurity.com
http://www.video-to-flash.com
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment