FCKeditor Access Denied

October 15, 2009
coldfusion

I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.

It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.

To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.

In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.

Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:

config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;

Like this? Follow me ↯


You might also like:

3 people found this page useful, what do you think?

Comments

This is probably not an issue if you've upgraded to CKEditor. Not sure if it still uses the same url structure as the obsolete FCKEditor...
If you are on shared hosting and cannot change any server setting or get the hosting company to do it, you can just rename the directory where FCKEditor is located. I changed mine to just editor, then in fckeditor.js changed the this.basepath variable to /editor/. You also have to change all of the calls to the editor if you call it as a custom tag. If you use the CFC, you have to change the this.basepath variable there as well.
@Doug - The CF8 hotfix will still block /whatever/fckeditor/editor/filemanager/anything.cfm maybe you didn't apply the hotfix jar, and just updated the /CFIDE folder.
Pete,
this post has beeen very usefull for me; i add that cf9 last release has a new built in function named fileUpload(), just as a function in fckeditor connectors/cfm/commands.cfm, included by cf_connector.cfm, so we have to change this function name, ie file_upload().
regards
@salvatore thanks for posting that, I'm sure others will find that useful too.
@matt - had this same problem in CF8. The cf administrator has it's own application.cfm so the fckeditor cannot see your app's session. I took the easy route - I use a cookie which the fckeditor can see. I also use the cookie to set the userfiles path as well


Foundeo Inc.