Raymond Camden's Blog Rss

ColdFusion Security Issue - FCKEditor

7

Posted in ColdFusion | Posted on 07-03-2009 | 3,562 views

Many blogs are reporting this, and frankly I don't have more to add to the already good reports out there, but be sure you read and respond to this new issue involving FCKEditor. Details:

CF8 and FCKEditor Security Threat

ColdFusion 8 FCKeditor Vulnerability

Please help spread the word.

Comments

[Add Comment] [Subscribe to Comments]

Chad said on 07-03-2009 at 11:55 AM #
Any idea if a standard install of FCKeditor is venerable?

I have it installed on the root of some web sites /FCKeditor/ and what i am reading i should probably put this code in a password protected folder to help avoid people directly accessing the file upload code in it.
Raymond Camden said on 07-03-2009 at 12:40 PM #
No idea at all - sorry. I don't use FCKEditor myself.
David Hammond said on 07-03-2009 at 1:58 PM #
Thanks for the heads up! I had an ASP.Net site compromised via FCKEditor a few months ago, but it never occurred to me that CF sites that don't even use the rich text editor could be vulnerable.

To answer Chad's question, older versions of FCKEditor have definitely been vulnerable. Not sure if it's better now.
Rakshith said on 07-04-2009 at 4:18 AM #
Also please refer to this important post http://blogs.adobe.com/psirt/2009/07/ from Adobe Product Security Incident Team. A fix from Adobe will be out shortly.
John said on 07-05-2009 at 9:28 PM #
One thing I'm not seeing mentioned much, if at all, on the blogs about this is that the hackers seem to be expoliting JSP support in ColdFusion Enterprise to do all their damage. They can completely get around sandboxing, attack every site on the box, do all kind of damage to the server. Why is this enabled by default, and why are there not clearer warnings from Adobe about it?? If a hacker manages to get a file onto a site, whatever means that might be, it seems they should not be able to cause so much mischief so easily. It seems this is every bit as much of the issue as the vulnerable install of the editor. Or am I missing something??
Doug said on 07-06-2009 at 10:19 AM #
For those that use FCKeditor outside of CF, a new patch can be downloaded as of today: http://www.fckeditor.net/

I assume it's in response to all these postings lately, but there has been no explanation for that patch yet.

It is supposedly possible to upgrade the CF version of FCKeditor, but I've never tried it myself. I use FCKeditor as a custom tag instead.
JC said on 07-07-2009 at 9:41 AM #
While you're fixing settings, remember that it's not just CFM pages that can be uploaded... JSP can execute as well, and if you're on a windows server, possibly ASP... see the post on coldfusion muse for some files
http://www.coldfusionmuse.com/index.cfm/2009/4/21/...

[Add Comment] [Subscribe to Comments]