Recent ColdFusion Vulnerabilities Follow-Up
For about three weeks now, ColdFusion servers have been under attack making use of one of two exploits, one in older versions of an application written in ColdFusion and some through the built in FCKEditor. Both of these issues have an active fix and should be handled with the utmost priority.
FCKEditor
When Adobe initially shipped ColdFusion 8.0 it included the FCKEditor, which was enabled when using <cftextarea richtext="true">. In version 8.0, the built in FCKEditor file manager and uploader were disabled. While there was a post about enabling them, most developers didn't use these features much, either because they would rather handle file uploads separately. However, when the upgrade to 8.0.1 was released, Adobe enabled file uploads by default on the FCKEditor instance.
It was determined that an attacker could access the upload files directly and by using some form of spoofing, get files uploaded to the server that could potentially allow compromise of Windows security.
To correct this, there are two fixes. The first is simply to edit the config.cfm file at \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm to disable uploads [see]. Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers [link].
CFWebstore
As I mentioned in my last post, users who were running older versions of CFWebstore could also be vulnerable due to a few upload scripts that are accessible directly and can be susceptible to file spoofing. It's important to note that CFWebstore responding very quickly providing a temporary fix to prevent access to the upload files. They also released a more detailed description of what exactly was happening to servers which was compiled from many user's experiences described on their mailing list.
Staying on Top of Things
So how can you stay on top of these sort of issues in the future? My first recommendation is to subscribe to as many ColdFusion related blogs as possible, at least start with the ColdFusionBloggers.org feed. Second, join any related forums or mailing lists related to any applications you are running. Third, try to keep your software as up-to-date as possible, the longer software is in the wild, to more likely someone with lots of time on their hands has found some way of exploiting even the smallest hole to create a very large hassle for you. Lastly, keep an eye on SANS Internet Storm Center which posts up and coming vulnerabilities that are being learned of and patched, this includes everything from Apple products, web applications, and Windows issues.
Additional Resources
- Adobe's Security Response Blog (http://blogs.adobe.com/psirt/)
- Adobe's Security Response Process (http://blogs.adobe.com/asset/2009/01/adobe_psirt_process_1.html)
- ColdFusion 8 Hot Fixes (http://kb2.adobe.com/cps/402/kb402604.html)
- Adobe Secuirty Bulletins and Advisories - all products (http://www.adobe.com/support/security/)
- CFWebstore's Blog (http://blog.cfwebstore.com/)
- CFWebstore's E-mail List (http://tech.groups.yahoo.com/group/cfwebstore5/)
- SANS Internet Storm Center (https://isc.sans.org/)