FCKeditor Access Denied
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.
It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.
To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.
In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.
Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:
config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;
Related Entries
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- Hands on ColdFusion Security Training - February 4, 2010
- ColdFusion 9 Solr Vulnerability - Are you at Risk? - January 29, 2010
Trackbacks
Trackback Address: 718/C361D223C4895BC040CCBEC661D7BC26
Comments
On 10/15/2009 at 6:44:06 PM EDT Brian Lang wrote:
1
This is probably not an issue if you've upgraded to CKEditor. Not sure if it still uses the same url structure as the obsolete FCKEditor...
On 10/15/2009 at 9:14:00 PM EDT Greg McNary wrote:
2
If you are on shared hosting and cannot change any server setting or get the hosting company to do it, you can just rename the directory where FCKEditor is located. I changed mine to just editor, then in fckeditor.js changed the this.basepath variable to /editor/. You also have to change all of the calls to the editor if you call it as a custom tag. If you use the CFC, you have to change the this.basepath variable there as well.
On 10/16/2009 at 11:56:55 AM EDT Doug Tepe wrote:
3
Huh. It seems like I avoided this problem by putting my stand-alone version of FCK into a different directory off my wwwroot. So instead the URI for fck reads "/[other dir]/fckeditor/editor/filemanager/".
Tho it will soon be moot since I'll be upgrading to CKeditor just as Brian mentioned.
On 10/16/2009 at 12:21:39 PM EDT Pete Freitag wrote:
4
@Doug - The CF8 hotfix will still block /whatever/fckeditor/editor/filemanager/anything.cfm maybe you didn't apply the hotfix jar, and just updated the /CFIDE folder.
On 11/30/2009 at 2:49:51 PM EST Doug wrote:
5
Hey Pete, turns out you were right. I fixed the problem just by removing the /filemanager subdirectory. The problem came back to bite me when I installed CF9 however, but your solution worked in CF9 too. Thanks!
(Tho I guess it means I must go into CF9's CFIDE and manually fix it again. Oh well. )
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
Tho it will soon be moot since I'll be upgrading to CKeditor just as Brian mentioned.
(Tho I guess it means I must go into CF9's CFIDE and manually fix it again. Oh well. )



add to del.icio.us



