Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Recent attacks were due, in part, to a vulnerable text-editor bundled with web design and development platform ColdFusion, according to Adobe. It had been shipped with an open source text editor called FCKeditor, versions of which contained a security hole.“Adobe is aware of reports of ColdFusion websites being compromised through a vulnerability in the FCKeditor rich text editor,” David Lenoe, Adobe product security program manager, wrote in a post on the company's Product Security Incident Response Team (PSIRT) blog.He said Adobe is working on a fix, which is expected to be made available this week. He also outlined a workaround in the post.In the meantime, a new version of FCKeditor has been released to address the vulnerability. In an advisory, US-CERT said that it “encourages users and administrators to upgrade to FCKeditor version 2.6.4.1 to help mitigate the risks.”The FCKeditor vulnerability was “due to improper verification of input passed to the ‘CurrentFolder' parameter," US-CERT said in its advisory. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code.”ColdFusion also suffered from a second attack vector through vulnerable FCKeditor installations. “One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion,” wrote Bojan Zdrnja, senior information security consultant at Infigo IS, in an updated post on the SANS Internet Storm Center. "Older versions of CFWebstore used a vulnerable FCKeditor installation. If you are using CFWebstore, make sure that you are running the latest version and that any leftovers have been removed.”See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
