Recent postings on SANS and The Register identify a vulnerability in some ColdFusion 8 installations. It involves the richtext feature found in the cftexarea tag. This TAG actually implements an open source rich text editor called FCKEditor. FCKEditor has functionality built in to handle file uploads and file management but this feature should be disabled in the version embedded in CF server. The problem lies in that in some cases the connector that runs this feature is actually turn on.
Is your connector enabled, to find out navigate to the following folder on your server.
CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm
and Look at the config.cfm file. and see if the connector is on (config.enabled).
If enabled, this means a hacker might be able to directly call the filemanager system to upload files and take control of the server. FCKEditor has had some history on being exploited by this type of attack.
// What the user can do with this connector
Config.ConfigAllowedCommands = "QuickUpload,FileUpload,GetFolders,GetFoldersAndFiles,CreateFolder" ;
Solutions:
1) Turn off the connector so that the filemanagement and file upload features can't work. Do this by commenting it out.
2) Just restrict what the filemanager can do, see code above, remove the fucntions you do not want to allow.
3) To be completely safe, delete the entire filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor". The embedded version of FCKeditor for CF doesn't and really shouldn't use this feature. So removing those files completely is the safest thing to do. Be mindful that updates to CF might re-introduce those files and naturally re-open the problem. You can avoid this by making the file/folder read only so that it cannot be updated.
Please note that if your host is secure and runs sites so that they cannot read/write files outside of their own root, then any attack should only be localised to the attacked site and not the whole server.
At BlueThunder/CFMX Hosting we employ Security sandboxes for every site restricting access and PHP/ASP etc are also restricted in the same way using server security, so it should not be possible for any uploaded code to access paths outside of that website.
If your host allows CFFILE by default without a sandbox or only runs CF Standard edition, then beware as their entire server is vulnerable to this and just about any other file upload attack as well.
The Adobe Product Security Incident Response Team (PSIRT) has posted an official response to this issue here, a patch is expected soon, but in the mean time make sure you are not at risk.
UPDATE: hotfix now available HERE
Jul 6, 2009 at 8:40 PM do ALL file uploads invoke FCKeditor? Or is it when you invoke <cftextarea>? I have a old CF5 file upload box that we still use for our users to upload pictures for e-cards and I want to know if all upload fields will be affected when I turn this off?
Thanks,
/a
Jul 7, 2009 at 9:23 AM this issue is only related to the above scenario, which only exists in CF8+
CF5 would not be affected. However if you use FCKEditor independantly, not the one integarted into CF, then you could still have such a vulnerability if arbitrary file uploads are posisble.