ColdFusion 8 FCKeditor Vulnerability
The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.1 it is enabled, older versions may have had it disabled by default. Either way you need to make sure it is disabled, and remove the file manager. John Mason has put together a blog entry detailing how to do this here. If you aren't using
cftextarea you might as well go ahead and delete (or move outside the web root)
/CFIDE/scripts/ajax/FCKeditor/ all together.
Also if you use FCKeditor (on any version of CF) outside of
cftextarea make sure you are not at risk.
I haven't had a chance yet to review the vulnerability itself, but I will do so, and post details, in the mean time just make sure your server is not vulnerable.
I would like to point out another thing that you can do to make you less susceptible to automated attacks like this, move your
/CFIDE/scripts/ directory to a different URI, then specify your custom URI in the ColdFusion Administrator under Server Settings at Default ScriptSrc Directory . Eliminating defaults is key to avoiding such worms, yes you are still vulnerable, but it buys you some extra time to react to such attacks. That was one of the tips in my presentation at cf.Objective() on Hardening ColdFusion, which I still need to post the slides for.
Update: The Adobe Product Security Incident Response Team (PSIRT) has posted an official response to this issue here.
Update: Adobe has posted a hotfix for this issue.
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- FCKeditor Access Denied - October 15, 2009
- ColdFusion Security Hotfixes Released - August 18, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions