FCKeditor Access Denied

October 15, 2009
coldfusion

I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.

It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.

To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.

In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.

Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:

config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;

| Add Comment | add to del.icio.us | Tags: , , ,

Related Entries

3 people found this page useful, what do you think?

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 718/C361D223C4895BC040CCBEC661D7BC26

Comments

On 10/15/2009 at 8:44:06 PM EDT Brian Lang wrote:
1
This is probably not an issue if you've upgraded to CKEditor. Not sure if it still uses the same url structure as the obsolete FCKEditor...

On 10/15/2009 at 11:14:00 PM EDT Greg McNary wrote:
2
If you are on shared hosting and cannot change any server setting or get the hosting company to do it, you can just rename the directory where FCKEditor is located. I changed mine to just editor, then in fckeditor.js changed the this.basepath variable to /editor/. You also have to change all of the calls to the editor if you call it as a custom tag. If you use the CFC, you have to change the this.basepath variable there as well.

On 10/16/2009 at 1:56:55 PM EDT Doug Tepe wrote:
3
Huh. It seems like I avoided this problem by putting my stand-alone version of FCK into a different directory off my wwwroot. So instead the URI for fck reads "/[other dir]/fckeditor/editor/filemanager/".

Tho it will soon be moot since I'll be upgrading to CKeditor just as Brian mentioned.

On 10/16/2009 at 2:21:39 PM EDT Pete Freitag wrote:
4
@Doug - The CF8 hotfix will still block /whatever/fckeditor/editor/filemanager/anything.cfm maybe you didn't apply the hotfix jar, and just updated the /CFIDE folder.

On 11/30/2009 at 4:49:51 PM EST Doug wrote:
5
Hey Pete, turns out you were right. I fixed the problem just by removing the /filemanager subdirectory. The problem came back to bite me when I installed CF9 however, but your solution worked in CF9 too. Thanks!

(Tho I guess it means I must go into CF9's CFIDE and manually fix it again. Oh well. )

On 01/19/2011 at 7:53:48 AM EST salvatore fusto wrote:
6
Pete, this post has beeen very usefull for me; i add that cf9 last release has a new built in function named fileUpload(), just as a function in fckeditor connectors/cfm/commands.cfm, included by cf_connector.cfm, so we have to change this function name, ie file_upload(). regards

On 01/19/2011 at 12:33:10 PM EST Pete Freitag wrote:
7
@salvatore thanks for posting that, I'm sure others will find that useful too.

On 03/10/2011 at 4:33:19 PM EST Matt wrote:
8
I recently began supporting a ColdFusion application that is still using FCKeditor but unfortunately it stopped working when we upgraded to CF9. I ended up on this post when I ran into the 403 error mentioned above. I set -D in the admin panel and everything started working again because we were using config.enabled. I am trying to access session data but I cannot and I am using the standard FCKEditor that comes packaged with CF9. Any thoughts on securely enabling the FCKEditor upload?

In my config files I am doing:

if (IsDefined("Session.MM_Username") AND Session.MM_Username NEQ "") { config.enabled = true; } else { config.enabled = false; }

and I constantly get the disabled message, which is probably correct because I am probably not accessing the actual session information that I want.

In the Application.cfc the out of the box verificyClient() was not working so I had to remove it and thinking I could enable session variables I included:

<cfset this.sessionmanagement = "yes" /> <cfset this.clientmanagement = "yes" />

But everything is still disabled.

On 03/10/2011 at 4:51:43 PM EST Matt wrote:
9
*Correction: ..."n because we were using config.enabled" I mean't config.enabled = true, which I am now trying to secure but can't because I am losing access to the right session data *I think*

On 07/04/2011 at 11:55:45 AM EDT Tim wrote:
10
Pete, Fantastic info, worked a treat! I searched for ages with searches like 'CfmServlet.accessDenied' and 'XML request error: Internal Server Error (500)' as these were in the error message returned but got no decent info. One request to you resolved it. Thanks.

On 03/07/2012 at 7:34:43 PM EST MikeG wrote:
11
@matt - had this same problem in CF8. The cf administrator has it's own application.cfm so the fckeditor cannot see your app's session. I took the easy route - I use a cookie which the fckeditor can see. I also use the cookie to set the userfiles path as well

On 11/10/2012 at 9:00:33 AM EST snake wrote:
12
It has been a long time since I looked at this issue, it has been dredged up again as I have some Mura (aka Sava) sites where the fckeditor is not working. Can you remind me, what problem does enabling the filemanager with -Dcoldfusion.fckupload=true actually cause? Is it because the filemanager is not locked down in any way by default so a hacker could access it and use it to upload files anywhere within the website ?

Is this still an issue with the fckeditor built into CF, doesn't this also get disabled in other ways too?

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002