Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
If you look at the code a bit you can see that it limits uploads by file extension, and doesn't rely on the cffile accept mime type attribute, that's a good start. So at first glance it appears that a hacker could upload images, movies, zip files, and swf files (which would pose a XSS risk). This basically turns you server into a hacker's own personal file server (with limited file extension support). But there are additional risks!
I'm not going to disclose how I did it right now, but I was able to upload and run a cfm file. The problem still exists in the FCKeditor 2.6.4.1 security update that was released today, I have notified them about the issue. I have also notified some folks at Adobe to make sure that they address this issue in their hotfix as well.
So I would recommend you keep the file manager out of your FCKeditor installations, and ofcourse from your CF8 /CFIDE/scripts installation.
Just another reminder here's a link to my Security Tips for Uploading Files with ColdFusion.
Update: Adobe has posted a hotfix for this issue.
add to del.icio.us
| Tags: fckeditor, security, coldfusion, upload, cffile, xss
Related Entries
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- FCKeditor Access Denied - October 15, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
Trackbacks
Trackback Address: 705/5E50A9EE9091CD660FADE6D8D8BBF400
Comments
On 07/06/2009 at 3:33:54 PM EDT Jordan Clark wrote:
1
A friend of mine was just hacked by this FCKEditor exploit. Not by the editor built into CF8, but in a ColdFusion ecommerce package called CFWebStore.
In any case he was able to track down the actual files that the hacker / worm injected into his site to take control.
I've uploaded the 2 files here for people to take a look at:
http://drop.io/cf_exloit
I found it interesting to see how it works. I'd even guess that it's actually human controlled as it provides output to explore the file system and issue individual file commands.
Besides infecting your files with browser vulnerable malware exploits it will also try to get access to the registry to allow remote desktop access and try to get shell access to set itself to auto-start.
So if you've been infected it might be best to restore a clean copy of your files and change all your passwords.
On 07/07/2009 at 4:44:26 AM EDT Gareth wrote:
2
Hi Pete,
I realise you don't want to publicly disclose how you managed this, but can you give us some sort of solution to this?
Is this vulnerability limited to fckeditor/adobe's implmentation, or could it exploit normal implmentations of cffile+upload?
Thanks
On 07/07/2009 at 6:06:19 AM EDT Pete Freitag wrote:
3
Garth if you disable the filemanager you should be safe.
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
In any case he was able to track down the actual files that the hacker / worm injected into his site to take control.
I've uploaded the 2 files here for people to take a look at:
http://drop.io/cf_exloit
I found it interesting to see how it works. I'd even guess that it's actually human controlled as it provides output to explore the file system and issue individual file commands.
Besides infecting your files with browser vulnerable malware exploits it will also try to get access to the registry to allow remote desktop access and try to get shell access to set itself to auto-start.
So if you've been infected it might be best to restore a clean copy of your files and change all your passwords.
I realise you don't want to publicly disclose how you managed this, but can you give us some sort of solution to this?
Is this vulnerability limited to fckeditor/adobe's implmentation, or could it exploit normal implmentations of cffile+upload?
Thanks
