There are two attacks on vulnerable installations of FCKEditor, an HTML editor used in ColdFusion. The vulnerable deployment is installed by default in version 8.0.1 of the system.
The problem lies in the way that the program handles file uploads. A vulnerability in the file upload manager used as part of FCKEditor enables attackers to upload ColdFusion files that could allow them to take control of the server.
"The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites," said the Institute in a blog post. "As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients."
Even if this vulnerable version is not installed by default, a second attack vector exists, in which it is installed via a third party plug-in.
"One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion," the Institute added. "Older versions of CFWebstore used vulnerable FCKEditor installations -- if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."
The same goes for older versions of the CKFinder AJAX file manager, which is also susceptible to attack according to SANS.
According to a post on the independent CodFusion security web site, the problem lies in a connector which should be turned off by default. It is possible to check this status by viewing a configuration file called config.cfm within the ColdFusion directory structure.
The attacks may have been carried out by a group that used file upload techniques to carry out similar attacks on a server earlier this year, added the Institute.