Raymond Camden's ColdFusion Blog: ColdFusion Security Issue

ColdFusion Security Issue - FCKEditor

Many blogs are reporting this, and frankly I don't have more to add to the already good reports out there, but be sure you read and respond to this new issue involving FCKEditor. Details:

CF8 and FCKEditor Security Threat

ColdFusion 8 FCKeditor Vulnerability

Please help spread the word.

This entry was posted on Friday, July 3, 2009 at 11:08 AM. It was filed in the following categories: ColdFusion. It has been viewed 1,755 times and has 7 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

Comment 1 written by Chad on 3 July 2009, at 11:55 AM

Any idea if a standard install of FCKeditor is venerable?

I have it installed on the root of some web sites /FCKeditor/ and what i am reading i should probably put this code in a password protected folder to help avoid people directly accessing the file upload code in it.
Comment 2 written by Raymond Camden on 3 July 2009, at 12:40 PM

No idea at all - sorry. I don't use FCKEditor myself.
Comment 3 written by David Hammond on 3 July 2009, at 1:58 PM

Thanks for the heads up! I had an ASP.Net site compromised via FCKEditor a few months ago, but it never occurred to me that CF sites that don't even use the rich text editor could be vulnerable.

To answer Chad's question, older versions of FCKEditor have definitely been vulnerable. Not sure if it's better now.
Comment 4 written by Rakshith on 4 July 2009, at 4:18 AM

Also please refer to this important post http://blogs.adobe.com/psirt/2009/07/ from Adobe Product Security Incident Team. A fix from Adobe will be out shortly.
Comment 5 written by John on 5 July 2009, at 9:28 PM

One thing I'm not seeing mentioned much, if at all, on the blogs about this is that the hackers seem to be expoliting JSP support in ColdFusion Enterprise to do all their damage. They can completely get around sandboxing, attack every site on the box, do all kind of damage to the server. Why is this enabled by default, and why are there not clearer warnings from Adobe about it?? If a hacker manages to get a file onto a site, whatever means that might be, it seems they should not be able to cause so much mischief so easily. It seems this is every bit as much of the issue as the vulnerable install of the editor. Or am I missing something??
Comment 6 written by Doug on 6 July 2009, at 10:19 AM

For those that use FCKeditor outside of CF, a new patch can be downloaded as of today: http://www.fckeditor.net/

I assume it's in response to all these postings lately, but there has been no explanation for that patch yet.

It is supposedly possible to upgrade the CF version of FCKeditor, but I've never tried it myself. I use FCKeditor as a custom tag instead.
Comment 7 written by JC on 7 July 2009, at 9:41 AM

While you're fixing settings, remember that it's not just CFM pages that can be uploaded... JSP can execute as well, and if you're on a windows server, possibly ASP... see the post on coldfusion muse for some files
http://www.coldfusionmuse.com/index.cfm/2009/4/21/...