Writing in a security blog, Bojan Zdrnja claimed that attackers are exploiting websites that have older installations of some ColdFusion applications. These applications have vulnerable installations of FCKEditor, a popular HTML text editor, or CKFinder, an Ajax file manager.
Zdrnja said: “The vulnerable installations allow the attackers to upload ASP or ColdFusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised websites.”
SANS warned that the script tags point to a chain of websites, which ultimately serve malware and try to exploit vulnerabilities on clients.
In a later update, Zdrnja claimed that there are two attack vectors (both using vulnerable FCKEditor installations) that the attackers are exploiting. The first version is 8.0.1 that installs a vulnerable version of FCKEditor, which is enabled by default.
Zdrnja said: “This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers.”
The second attack vector is again through vulnerable FCKEditor installations, but is dropped through third party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion.
SANS claimed that older versions of CFWebstore used vulnerable FCKEditor installations, and if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed.