Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
If you look at the code a bit you can see that it limits uploads by file extension, and doesn't rely on the
cffile accept mime type attribute, that's a good start. So at first glance it appears that a hacker could upload images, movies, zip files, and swf files (which would pose a XSS risk). This basically turns you server into a hacker's own personal file server (with limited file extension support). But there are additional risks!
I'm not going to disclose how I did it right now, but I was able to upload and run a cfm file. The problem still exists in the FCKeditor 126.96.36.199 security update that was released today, I have notified them about the issue. I have also notified some folks at Adobe to make sure that they address this issue in their hotfix as well.
So I would recommend you keep the file manager out of your FCKeditor installations, and ofcourse from your CF8 /CFIDE/scripts installation.
Just another reminder here's a link to my Security Tips for Uploading Files with ColdFusion.
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- FCKeditor Access Denied - October 15, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- Using AntiSamy with ColdFusion - August 5, 2010
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS
- CFDocs site now Open Source
- Getting Size of Heap and Non Heap Memory in CFML
- Firefox Aurora now Supports Content Security Policy 1.0
- Writing Secure CFML cfObjective 2013 Slides