FCKeditor Access Denied
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error:
403 Access denied.
It turns out that hotfix (hf801-77218) will actually block any CFM request matching
/fckeditor/editor/filemanager/ anywhere in the URI.
To bypass this feature you need to add the JVM argument:
-Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the
jvm.config file on Enterprise.
In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of
Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set
config.enabled = true do something like this:
config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;
Like this? Follow me ↯Tweet Follow @pfreitag
You might also like:
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- Fixinator and Foundeo Security Bundle - May 14, 2019
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- Upload Files Directly to Amazon S3 using ColdFusion - November 26, 2014
- New HackMyCF Features - October 24, 2013
this post has beeen very usefull for me; i add that cf9 last release has a new built in function named fileUpload(), just as a function in fckeditor connectors/cfm/commands.cfm, included by cf_connector.cfm, so we have to change this function name, ie file_upload().