Hole in ColdFusion 8 threatens web site security

Adobe has confirmed a security hole in the free FCKEditor shipped with ColdFusion 8. While the open source FCKEditor HTML editor is shipped with ColdFusion, it's not enabled by default but in certain cases, the associated connector may be active anyway.

Several reports about attacks on ColdFusion-based web sites have appeared in the past few days and it seems that hackers have exploited the hole to manipulate page contents. The warning issued by Google's SafeBrowsing feature last weekend when visiting web pages by ad provider EyeWonder may also be related to this issue.

Intruders had hacked into EyeWonder's web server and injected malware; this made the domain appear on Google's blacklist of suspicious pages. Browsers that use the Google API consequently warned against banner ad servers in this domain – although they weren't affected, according to EyeWonder. Users visiting the web sites of CNN, the Washington Post, the BBC, Mashable and others found a stop sign on their browser screens as the sites attempted to load ads. According to reports, the problems have been solved and the server vulnerability has since been fixed.

Adobe has announced that a patch to prevent unauthorised file uploads – for example by remote shells – will become available next week. Until then, Adobe recommends several workaround measures to make a system secure and verify whether it has already been hacked. Further details can be found in Adobe's report and in an advisory by the Open Source CERT.

The developers of the editor intend to release version 2.6.4.1 by the end of today; this will have the bug fixed and also closes several cross site-scripting holes.

See also:

• Potential ColdFusion security issue, security advisory from Adobe.
• FCKeditor input sanitization errors, advisory from oCERT.

(crve)