Raymond Camden's Blog Rss

Hot Fix for FCK Issue

8

Posted in ColdFusion | Posted on 07-08-2009 | 3,116 views

Ah, what a busy couple of days, eh? Adobe has released an official hot fix for the FCK Editor issue you may have heard about lately: Hotfix available for potential ColdFusion 8 input sanitization issue

Comments

[Add Comment] [Subscribe to Comments]

Sean Coyne said on 07-08-2009 at 2:48 PM #
The instructions are bad. They say to stop the CF service first, then access the admin, which is impossible.

Also, those on a mac should know that if they simply unzip the cfide.zip file to the cfide folder it will replace the folder not merge it like on windows.
brickabracka said on 07-08-2009 at 2:49 PM #
What's a cold fusion?
-=MM=- said on 07-08-2009 at 4:55 PM #
Is this exploitable even if our code doesn't use FCKEditor directly i.e. are there publicly accessible files that expose this vulnerability remotely? I couldn't glean that from the hotfix documentation.
Matthew Williams said on 07-08-2009 at 4:57 PM #
From what I've been seeing online, just it doesn't matter whether you use FCK or not. There's enough access with the files already in place to be able to exploit the upload abilities.
Yaron said on 07-09-2009 at 8:14 AM #
I tried the hot fix update and followed the fix instructions, I'm now getting an IE javascript error

Message: Unspecified error.
Line: 32 Char: 11789
Code: 0
URI: http://someIP/CFIDE/scripts/ajax/FCKeditor/editor/...

anyone encounter this?
Raymond Camden said on 07-09-2009 at 8:24 AM #
Your best bet is to contact Adobe about that. I definitely can't help with IE issues - for some reason the .exe refuses to run on my Mac. ;)
Doug said on 07-09-2009 at 9:29 AM #
It should be mentioned for people who use the FCKeditor outside of CF8 that the latest version of FCKeditor 2.6.4.1 IS STILL NOT SAFE.

This has been tested by Pete Freitag and the FCKeditor upload utility can still be hacked.

http://www.petefreitag.com/item/705.cfm
Simon said on 07-10-2009 at 10:37 AM #
The instructions are terrible at best.
When I added the argument to the jvm.config file I wasn't able to start the service. So now I have no uploading capabilities. Not sure if it's because I had updated my jvm to 1.6.0_13

[Add Comment] [Subscribe to Comments]