New CF8 vulnerability

You may want to check for this on any clients/projects you've worked with:
http://isc.sans.org/diary.html?storyid=6715

Remediation steps available here:
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324173
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

And that's why our prod servers are read only (and Linux).

mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/



2009/7/3 Dave Watts <dwatts@...>:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324174
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I don't seem to have the same file directory as that posted in the second
link. Instead I have:

\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm

and:

\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\
cfm\config.cfm

Both of these files look like they are encrypted.

Am I missing something?

Adrian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324179
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I suspect you have an older version of FCKEditor deployed in that case.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: Adrian Lynch <contact@...>
Sent: Friday, 03 July, 2009 06:46
To: cf-talk <cf-talk@...>
Subject: RE: New CF8 vulnerability


I don't seem to have the same file directory as that posted in the second
link. Instead I have:

\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm

and:

\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\
cfm\config.cfm

Both of these files look like they are encrypted.

Am I missing something?

Adrian



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324181
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

There's nothing OS-specific about the vulnerability, as far as I can see.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: James Holmes <james.holmes@...>
Sent: Thursday, 02 July, 2009 20:56
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


And that's why our prod servers are read only (and Linux).

mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/



2009/7/3 Dave Watts <dwatts@...>:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324182
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

On Friday 03 Jul 2009, Adrian Lynch wrote:
> Am I missing something?

You're on CF8.0.0 not 8.0.1 and so fine ?

--
Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of
the IT team of the year, '09 and '08

****************************************************

This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word “partner” to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.  If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500.

For more information about Halliwells LLP visit www.halliwells.co

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324183
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

On Friday 03 Jul 2009, Dave Watts wrote:
> Remediation steps available here:
> http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

Site down, probably load.
In summary:
CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in
a non-default, insecure state.
Find config.cfm
in ....../CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm and
change 'Config.enabled' to false at the top.

Then review if you need any of the features you just turned off and take it
from there.

--
Helping to vitalistically compete cross-platform mindshares as part of the IT
team of the year, '09 and '08

****************************************************

This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word “partner” to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.  If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500.

For more information about Halliwells LLP visit www.halliwells.co

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324184
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Dave Watts wrote:
> You may want to check for this on any clients/projects you've worked with:
> http://isc.sans.org/diary.html?storyid=6715

How does this exploit actually work?  I presume it is somebody directly
accessing the exposed, vulnerable, exploitable files via
www.yourSite.org/cfide/scripts/something?  Is that correct?  If so, we
may have been lucky enough that our cfide folder is not publicly
available at the moment, but I would like to know more as I present this
up the chain to get remediation steps done on our production servers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324192
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

what if you want to do file upload with fckeditor?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324197
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Brian McCairn wrote:
> what if you want to do file upload with fckeditor?

The recommendation seems to be to install the latest version of
fckeditor independently of the built in ColdFusion edition and to make
sure that it resides and works within properly sandboxed portions of you
system so that permission escalation is much harder to accomplish.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324198
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: Ian Skinner <hof@...>
Sent: Friday, 03 July, 2009 10:08
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


Dave Watts wrote:
> You may want to check for this on any clients/projects you've worked with:
> http://isc.sans.org/diary.html?storyid=6715

How does this exploit actually work?  I presume it is somebody directly
accessing the exposed, vulnerable, exploitable files via
www.yourSite.org/cfide/scripts/something?  Is that correct?  If so, we
may have been lucky enough that our cfide folder is not publicly
available at the moment, but I would like to know more as I present this
up the chain to get remediation steps done on our production servers.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324203
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

You should take the same precautions you would with any file upload. Don't allow uploads to web-accessible directories that allow code execution on the server. Better yet, don't allow uploads to web-accessible directories at all, so that your server can't unwittingly host client-side malware. Don't run CF with root credentials, so that successfully uploaded CF scripts can't do bad things to your system.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: Brian McCairn <brian.mccairn@...>
Sent: Friday, 03 July, 2009 10:38
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


what if you want to do file upload with fckeditor?



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324204
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Dave Watts wrote:
> Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case.
>
> Dave Watts, CTO, Fig Leaf Software

Well, that was my subtle request for a good URL or two to test!! :-)

I tried one or two I could guess by looking at the directory under
scrutiny and I got an encouraging 404 Not Found for them.  But I realize
I may not be using the best URL's for my testing.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324205
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Sorry for omitting the actual URLs, but I'm sending all this from my phone. And CF doesn't run on Windows Mobile!

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: Ian Skinner <hof@...>
Sent: Friday, 03 July, 2009 13:17
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


Dave Watts wrote:
> Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case.
>
> Dave Watts, CTO, Fig Leaf Software

Well, that was my subtle request for a good URL or two to test!! :-)

I tried one or two I could guess by looking at the directory under
scrutiny and I got an encouraging 404 Not Found for them.  But I realize
I may not be using the best URL's for my testing.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324207
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Dave (or anyone else with information),

I know the vulnerability was in older versions of FCKEditor...if one were to
install and use the current version, does it still have the vulnerability or
has that been fixed?  I just got an emergency gig to fix a site that was
hacked because of this and we need to know if it is safe to do this or just
keep FCKEditor disabled inthe meantime.

Eric


On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts <dwatts@...> wrote:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324210
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

Supposedly on July 6 a new version will be released that is at least
better, if not 'fixed'.

Kind of glad I put mine behind logins from the get-go.  I am guessing
that this affects all FCKEditor installations and not just CF8's
cftextarea.

Way back when, an earlier cf connector was so full of holes I wound up
rewriting it with another developer's help and posting it on their
forum.  Guess that since then its code got a lot more complex but not
a lot better.

--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324211
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

So do we not need to restart ColdFusion after making this change?


On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts <
owner@...> wrote:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324212
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

No, a restart shouldn't be required.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: David McGuigan <davidmcguigan@...>
Sent: Saturday, 04 July, 2009 00:29
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


So do we not need to restart ColdFusion after making this change?


On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts <
owner@...> wrote:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324216
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

I don't know, but it should be easy enough to check on your install.

Dave Watts, CTO, Fig Leaf Software

-----Original Message-----
From: Eric Roberts <owner@...>
Sent: Friday, 03 July, 2009 19:32
To: cf-talk <cf-talk@...>
Subject: Re: New CF8 vulnerability


Dave (or anyone else with information),

I know the vulnerability was in older versions of FCKEditor...if one were to
install and use the current version, does it still have the vulnerability or
has that been fixed?  I just got an emergency gig to fix a site that was
hacked because of this and we need to know if it is safe to do this or just
keep FCKEditor disabled inthe meantime.

Eric


On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts <dwatts@...> wrote:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324217
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4

If you mean your FCKEditor is accessed in a secure area, I don't think that
matters. It's whether or not certain scripts can be accessed at
yourdomain.com/cfide/scripts/bla/bla/eek.cfm.

Someone correct me if this isn't the case...

Adrian



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324222
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4