Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
If you look at the code a bit you can see that it limits uploads by file extension, and doesn't rely on the
cffile accept mime type attribute, that's a good start. So at first glance it appears that a hacker could upload images, movies, zip files, and swf files (which would pose a XSS risk). This basically turns you server into a hacker's own personal file server (with limited file extension support). But there are additional risks!
I'm not going to disclose how I did it right now, but I was able to upload and run a cfm file. The problem still exists in the FCKeditor 184.108.40.206 security update that was released today, I have notified them about the issue. I have also notified some folks at Adobe to make sure that they address this issue in their hotfix as well.
So I would recommend you keep the file manager out of your FCKeditor installations, and ofcourse from your CF8 /CFIDE/scripts installation.
Just another reminder here's a link to my Security Tips for Uploading Files with ColdFusion.
Like this? Follow me ↯Tweet Follow @pfreitag
Risks of FCKeditor Vulnerability in CF8 was first published on July 06, 2009.
If you like reading about fckeditor, security, coldfusion, upload, cffile, or xss then you might also like:
- Hotfix for CF8 FCKeditor Vulnerability Released
- ColdFusion 8 FCKeditor Vulnerability
- FCKeditor Access Denied
- Tips for Secure File Uploads with ColdFusion
- Using AntiSamy with ColdFusion
- Announcing Web Application Firewall for ColdFusion
- ColdFusion 2020 Developer Week - Securing CF
- Fixinator and Foundeo Security Bundle
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.