Cold Fusion sites compromised
Last Updated: 2009-07-03 09:35:14 UTC ...(Version: 2) - "There have been a high number of Cold Fusion web sites being compromised in last 24 hours... It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients...
Update: ... It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting. First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion...security-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations - if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."
2009-07-03 - "... A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
* remove the '_samples' directory
Affected version: FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version: FCKeditor >= 18.104.22.168 (to be released on 2009-07-06 16:00 CET) ..."
Last revised: 07/05/2009
Edited by apluswebmaster, 05 July 2009 - 08:10 PM.