Jump to content


Photo

Cold Fusion sites compromised


  • Please log in to reply
3 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 03 July 2009 - 06:41 AM

FYI...

Cold Fusion sites compromised
- http://isc.sans.org/...ml?storyid=6715
Last Updated: 2009-07-03 09:35:14 UTC ...(Version: 2) - "There have been a high number of Cold Fusion web sites being compromised in last 24 hours... It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients...
Update: ... It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting. First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion...security-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations - if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."

- http://www.ocert.org...t-2009-007.html
2009-07-03 - "... A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
* remove the '_samples' directory
Affected version: FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version: FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET) ..."

- http://web.nvd.nist....d=CVE-2009-2265
Last revised: 07/05/2009

:ph34r: :grrr:

Edited by apluswebmaster, 05 July 2009 - 08:10 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 06 July 2009 - 06:14 PM

FYI...

- http://www.fckeditor.net/download
Current Release - 2.6.4.1
July 6, 2009

- http://secunia.com/advisories/35712/2/
Release Date: 2009-07-07
Critical: Highly critical
Solution: Update to version 2.6.4.1...

> http://www.us-cert.g...ses_version_2_6

- http://blogs.adobe.c...n_security.html
July 3, 2009

:ph34r:

Edited by apluswebmaster, 07 July 2009 - 06:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 08 July 2009 - 08:24 PM

FYI...

Hotfix available for potential ColdFusion 8 input sanitization issue
- http://www.adobe.com.../apsb09-09.html
July 8, 2009 - "... Adobe recommends affected ColdFusion customers update their installation using the instructions below:
NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1*
* http://www.adobe.com...pdates.html#cf8 ...
Severity rating: Adobe categorizes this as a critical issue and recommends affected users patch their installations..."
Revisions: July 9, 2009 - Bulletin updated with Acknowledgment and information on ColdFusion 8.0 hotfix
(More detail and links at the first URL above.)

- http://secunia.com/advisories/35747/2/
Release Date: 2009-07-09
Critical: Highly critical
Impact: Exposure of system information, Exposure of sensitive information, System access
Solution: Update to version 8.0.1 and apply hot fix...

- http://blog.trendmic...ass-compromise/
July 8, 2009

:!:

Edited by apluswebmaster, 11 July 2009 - 02:51 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 18 August 2009 - 06:54 AM

FYI...

Adobe ColdFusion / JRun multiple vulns - updates available
- http://secunia.com/advisories/36329/2/
Release Date: 2009-08-18
Critical: Moderately critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe ColdFusion 8.x, Adobe ColdFusion MX 7.x, Macromedia Jrun 4.x ...
Original Advisory: Adobe:
http://www.adobe.com.../apsb09-12.html
"... Adobe categorizes these as critical issues and recommends affected users patch their installations..."

- http://www.adobe.com.../apsb09-12.html
August 21, 2009 - Bulletin updated with additional information regarding CVE-2009-1876.

> http://download.macr...e_1872_1877.txt
"ColdFusion... hotfix includes fixes for CVE-2009-1872, CVE-2009-1877..."
> http://web.nvd.nist....d=CVE-2009-1872
> http://web.nvd.nist....d=CVE-2009-1877

> http://download.macr...ReadMe_1875.txt
"ColdFusion... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1..."
> http://web.nvd.nist....d=CVE-2009-1875

> http://download.macr...ReadMe_1876.txt
"ColdFusion... fix for CVE-2009-1876..."
> http://web.nvd.nist....d=CVE-2009-1876

> http://download.macr...ReadMe_1878.txt
"... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1.."
> http://web.nvd.nist....d=CVE-2009-1878

> http://www.adobe.com.../apsb09-12.html
August 28, 2009 - Bulletin updated with additional information regarding CVE-2009-1873, CVE-2009-1874, and CVE-2009-1876.
- http://download.macr...e_1873_1874.txt
- http://download.macr...ReadMe_1876.txt

- http://web.nvd.nist....d=CVE-2009-1873
- http://web.nvd.nist....d=CVE-2009-1874
- http://web.nvd.nist....d=CVE-2009-1876

:ph34r: :ph34r:

Edited by apluswebmaster, 29 August 2009 - 06:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button