Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
If you look at the code a bit you can see that it limits uploads by file extension, and doesn't rely on the
cffile accept mime type attribute, that's a good start. So at first glance it appears that a hacker could upload images, movies, zip files, and swf files (which would pose a XSS risk). This basically turns you server into a hacker's own personal file server (with limited file extension support). But there are additional risks!
I'm not going to disclose how I did it right now, but I was able to upload and run a cfm file. The problem still exists in the FCKeditor 220.127.116.11 security update that was released today, I have notified them about the issue. I have also notified some folks at Adobe to make sure that they address this issue in their hotfix as well.
So I would recommend you keep the file manager out of your FCKeditor installations, and ofcourse from your CF8 /CFIDE/scripts installation.
Just another reminder here's a link to my Security Tips for Uploading Files with ColdFusion.
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- FCKeditor Access Denied - October 15, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- Using AntiSamy with ColdFusion - August 5, 2010
- Upcoming CFML Conferences in April 2017
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides
- My CFSummit 2015 Slide Decks
- Adding Chrome Custom Search for CFDocs
- Disable Flash Remoting on ColdFusion Servers
- HackMyCF Adds SSL/TLS Scanner
- IncompatibleClassChangeError after ColdFusion 11 Update 5