FCKEditor Security Issue Not Just a ColdFusion Problem
While reading through some of the ColdFusion blogs the last couple of days, I think one issue has been missed: The security vulnerability in FCKEditor exists outside of ColdFusion. In other words, if you are using the FCKEditor tool outside of ColdFusion, or your ColdFusion site uses the stand alone version (and not the embedded version with ColdFusion), this issue can leave your site open to an attack. The major error on Adobe’s part seems to be that the 8.0.1 updater introduced this issue by enabling uploads in the file upload connector. The embedded version of this editor in ColdFusion does not allow file uploads, so this feature should be disabled.
If you are using the standalone version of the FCKEditor and have file uploads enabled (using any of the connectors), you should take some steps to ensure that rouge files cannot be uploaded. The great thing about the FCKEditor tool is that it’s open source. You can easily modify the code for the connector to add in some security checks (sizes of uploads, mime type exclusions, etc…). If using this editor within a password protected admin or client area, you could also add in the authentication checks within the editor code as well. This would prevent someone from being able to upload a file without being logged into the password protected area of your site.
So in conclusion I just wanted to make note that this particular vulnerability does exist outside of the ColdFusion server install itself if you are using the standalone version of the FCKEditor. This latest issue can be used as a reminder to always check those third party applications you use, and to make sure you implement them the correct way.
To quickly patch your ColdFusion 8 installs you can follow the below recommended steps from the Adobe Security Team. It sounds as though Adobe will be releasing a hotfix for this issue very soon, but they do recommend the steps below while waiting for the hotfix to be released:
- Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
- Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
- Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.