> The attacker used a version of FCKeditor embedded in a shopping cart > software (cfwebstore) to upload a index.cfm file into the > store/customtags directory.
Actually, this isn't quite accurate information (even if it pertained to the attack on HOF which is unlikely). If the attack originates through CFWebstore, it is unlikely to be coming from the FCKEditor installation. Older versions of CFWebstore, or improperly upgraded ones, may have a file in the customtags directory that had a file upload vulnerability that the hackers make use of. Unless it's a really old version, the FCKEditor that is packaged with the software would have had the connectors removed, as we've been taking it out for years due to the known vulnerabilities. If you think the attack originated through CFWebstore, drop by the website blog for full details on fixing the store...an upgrade to the current release which is far more secure against this and other types of attacks is certainly a good idea to start. However, we've also seen a number of attacks where the hackers are using vulnerable FCKeditors on CF8 to infect sites. Since they seem to have knowledge of the file structure of the webstore software, they can use a FCKeditor instance to send files back into the web directory even after it's upgraded and continue to infect the sites, until the server is completely patched. This doesn't seem to be an issue other than on CF8 servers. We've often just removed the connectors completely unless there is any expectation that they will be needed, to be sure they are not gaining access to them. I'm curious to hear any further details that are discovered as to what avenues of attack they continue to exploit. It'd be nice if we could just completely block internet traffic from China, as all these attacks do seem to originate there. --- Mary Jo Sminkey Author, CFWebstore - ColdFusion Ecommerce http://www.cfwebstore.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326445 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
