pf » FCKeditor Access Denied

October 15, 2009

FCKeditor Access Denied

I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.

It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.

To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.

In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.

Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:

config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;

Permalink | Add Comment |

add to del.icio.us | Tags: fckeditor, security, coldfusion, upload

Related Entries

Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
Hands on ColdFusion Security Training - February 4, 2010
ColdFusion 9 Solr Vulnerability - Are you at Risk? - January 29, 2010

This entry was:

Trackbacks

Trackback Address: 718/C361D223C4895BC040CCBEC661D7BC26

Comments

On 10/15/2009 at 6:44:06 PM EDT Brian Lang wrote:

This is probably not an issue if you've upgraded to CKEditor. Not sure if it still uses the same url structure as the obsolete FCKEditor...

On 10/15/2009 at 9:14:00 PM EDT Greg McNary wrote:

If you are on shared hosting and cannot change any server setting or get the hosting company to do it, you can just rename the directory where FCKEditor is located. I changed mine to just editor, then in fckeditor.js changed the this.basepath variable to /editor/. You also have to change all of the calls to the editor if you call it as a custom tag. If you use the CFC, you have to change the this.basepath variable there as well.

On 10/16/2009 at 11:56:55 AM EDT Doug Tepe wrote:

Huh. It seems like I avoided this problem by putting my stand-alone version of FCK into a different directory off my wwwroot. So instead the URI for fck reads "/[other dir]/fckeditor/editor/filemanager/".

Tho it will soon be moot since I'll be upgrading to CKeditor just as Brian mentioned.

On 10/16/2009 at 12:21:39 PM EDT Pete Freitag wrote:

@Doug - The CF8 hotfix will still block /whatever/fckeditor/editor/filemanager/anything.cfm maybe you didn't apply the hotfix jar, and just updated the /CFIDE folder.

On 11/30/2009 at 2:49:51 PM EST Doug wrote:

Hey Pete, turns out you were right. I fixed the problem just by removing the /filemanager subdirectory. The problem came back to bite me when I installed CF9 however, but your solution worked in CF9 too. Thanks!

(Tho I guess it means I must go into CF9's CFIDE and manually fix it again. Oh well. )