FCKeditor Access Denied
By Pete Freitag
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error:
403 Access denied.
It turns out that hotfix (hf801-77218) will actually block any CFM request matching
/fckeditor/editor/filemanager/ anywhere in the URI.
To bypass this feature you need to add the JVM argument:
-Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the
jvm.config file on Enterprise.
In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of
Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set
config.enabled = true do something like this:
config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;
FCKeditor Access Denied was first published on October 15, 2009.
If you like reading about fckeditor, security, coldfusion, or upload then you might also like:
- Hotfix for CF8 FCKeditor Vulnerability Released
- Risks of FCKeditor Vulnerability in ColdFusion 8
- ColdFusion 8 FCKeditor Vulnerability
- Speaking at ColdFusion Summit Online Next Week
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.