Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
If you look at the code a bit you can see that it limits uploads by file extension, and doesn't rely on the
cffile accept mime type attribute, that's a good start. So at first glance it appears that a hacker could upload images, movies, zip files, and swf files (which would pose a XSS risk). This basically turns you server into a hacker's own personal file server (with limited file extension support). But there are additional risks!
I'm not going to disclose how I did it right now, but I was able to upload and run a cfm file. The problem still exists in the FCKeditor 220.127.116.11 security update that was released today, I have notified them about the issue. I have also notified some folks at Adobe to make sure that they address this issue in their hotfix as well.
So I would recommend you keep the file manager out of your FCKeditor installations, and ofcourse from your CF8 /CFIDE/scripts installation.
Just another reminder here's a link to my Security Tips for Uploading Files with ColdFusion.
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- FCKeditor Access Denied - October 15, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- Using AntiSamy with ColdFusion - August 5, 2010
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained