ColdFusion Security Issue - FCKEditor

by Raymond Camden on July 3, 2009

This post is more than 2 years old.

Many blogs are reporting this, and frankly I don't have more to add to the already good reports out there, but be sure you read and respond to this new issue involving FCKEditor. Details:

CF8 and FCKEditor Security Threat

ColdFusion 8 FCKeditor Vulnerability

Please help spread the word.

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Chad posted on 7/3/2009 at 8:55 PM

Any idea if a standard install of FCKeditor is venerable?

I have it installed on the root of some web sites /FCKeditor/ and what i am reading i should probably put this code in a password protected folder to help avoid people directly accessing the file upload code in it.

Comment 2 by Raymond Camden posted on 7/3/2009 at 9:40 PM

No idea at all - sorry. I don't use FCKEditor myself.

Comment 3 by David Hammond posted on 7/3/2009 at 10:58 PM

Thanks for the heads up! I had an ASP.Net site compromised via FCKEditor a few months ago, but it never occurred to me that CF sites that don't even use the rich text editor could be vulnerable.

To answer Chad's question, older versions of FCKEditor have definitely been vulnerable. Not sure if it's better now.

Comment 4 by Rakshith posted on 7/4/2009 at 1:18 PM

Also please refer to this important post http://blogs.adobe.com/psir... from Adobe Product Security Incident Team. A fix from Adobe will be out shortly.

Comment 5 by John posted on 7/6/2009 at 6:28 AM

One thing I'm not seeing mentioned much, if at all, on the blogs about this is that the hackers seem to be expoliting JSP support in ColdFusion Enterprise to do all their damage. They can completely get around sandboxing, attack every site on the box, do all kind of damage to the server. Why is this enabled by default, and why are there not clearer warnings from Adobe about it?? If a hacker manages to get a file onto a site, whatever means that might be, it seems they should not be able to cause so much mischief so easily. It seems this is every bit as much of the issue as the vulnerable install of the editor. Or am I missing something??

Comment 6 by Doug posted on 7/6/2009 at 7:19 PM

For those that use FCKeditor outside of CF, a new patch can be downloaded as of today: http://www.fckeditor.net/

I assume it's in response to all these postings lately, but there has been no explanation for that patch yet.

It is supposedly possible to upgrade the CF version of FCKeditor, but I've never tried it myself. I use FCKeditor as a custom tag instead.

Comment 7 by JC posted on 7/7/2009 at 6:41 PM

While you're fixing settings, remember that it's not just CFM pages that can be uploaded... JSP can execute as well, and if you're on a windows server, possibly ASP... see the post on coldfusion muse for some files
http://www.coldfusionmuse.c...

About Raymond Camden

Webmentions

Archived Comments