New CF8 vulnerability

> -----Original Message-----
> From: Matt Robertson [mailto:websitemaker@...]
> Sent: 04 July 2009 05:01
> To: cf-talk
> Subject: Re: New CF8 vulnerability
>
>
> Supposedly on July 6 a new version will be released that is at least
> better, if not 'fixed'.
>
> Kind of glad I put mine behind logins from the get-go.  I am guessing
> that this affects all FCKEditor installations and not just CF8's
> cftextarea.
>
> Way back when, an earlier cf connector was so full of holes I wound up
> rewriting it with another developer's help and posting it on their
> forum.  Guess that since then its code got a lot more complex but not
> a lot better.
>
> --
> --m@Robertson--
> Janitor, The Robertson Team
> mysecretbase.com

> If there's a default web accessible URL path for uploaded files, , and
> that directory is configured to execute CF files, an attacker can
> simply upload a .cfm file, and run it to do anything CF can do:
> CFEXECUTE, access databases, connect to outbound FTP servers, etc. You
> may not allow the first of those, but it's far less likely you're
> blocking the others.
>
> Dave Watts, CTO, Fig Leaf Software
>
> -----Original Message-----
> From: Dave l <cflist@...>
> Sent: Sunday, 05 July, 2009 09:46
> To: cf-talk <cf-talk@...>
> Subject: Re: New CF8 vulnerability
>
>
> "There's nothing OS-specific about the vulnerability, as far as I can
> see. "
> I'm sure it more about a "location" that is easy to guess.. maybe the
> default fk one.
> Although them exe's are gunna have a bitch of a time running on a lt
> 1gb sectioned partition with no rights on my  xserver.
>
> To many people probably upload to /uploads (i'm guilty) so it
> shouldn't be to difficult.
>

> If there's a default web accessible URL path for uploaded files, , and
> that directory is configured to execute CF files, an attacker can
> simply upload a .cfm file, and run it to do anything CF can do:
> CFEXECUTE, access databases, connect to outbound FTP servers, etc. You
> may not allow the first of those, but it's far less likely you're
> blocking the others.
>
> Dave Watts, CTO, Fig Leaf Software
>
> -----Original Message-----
> From: Dave l <cflist@...>
> Sent: Sunday, 05 July, 2009 09:46
> To: cf-talk <cf-talk@...>
> Subject: Re: New CF8 vulnerability
>
>
> "There's nothing OS-specific about the vulnerability, as far as I can
> see. "
> I'm sure it more about a "location" that is easy to guess.. maybe the
> default fk one.
> Although them exe's are gunna have a bitch of a time running on a lt
> 1gb sectioned partition with no rights on my  xserver.
>
> To many people probably upload to /uploads (i'm guilty) so it
> shouldn't be to difficult.
>

> It's not a CF-only issue. However, CF comes bundled with FCKEditor and
> other scripting languages don't.
>
> If you don't allow uploads to web accessible directories, you don't
> have anything to worry about. However, the default install of CF 8.0.1
> on Windows does allow uploads to web accessible directories.
>
> Dave Watts, CTO, Fig Leaf Software
>
> -----Original Message-----
> From: Dave l <cflist@...>
> Sent: Sunday, 05 July, 2009 13:37
> To: cf-talk <cf-talk@...>
> Subject: Re: New CF8 vulnerability
>
>
> "If there's a default web accessible URL path for uploaded files"
> Well that's why you don't do it. I have done it but I don't anymore.
>
> That's true with any server, any platform, any scripting language, I
> don't know why they are making this out to be a cf only issue.
>
> I have 3 hd's,
> #1 is the os and apps,
> #2 is partitioned with 99.9% of it beingbu stuff and the rest is just
> few folders that the uploads go into and run thru doing what needs to
> be done with them.
> #3 is web server.
>
> So cfm files an only be run out of the #3 hd. So if I upload the files
> to an isolated partition with min permissions how who they run that cf
> file? That drive isn't accessible from the web & I have no ftps or any
> incoming connections to that drive. They could of course hack into the
> server itself and then move the file manually to the web server drive
> then go get it ;)
>
> > If there's a default web accessible URL path for uploaded files, ,
> and
> > that directory is configured to execute CF files, an attacker can
> > simply upload a .cfm file, and run it to do anything CF can do:
> > CFEXECUTE, access databases, connect to outbound FTP servers, etc.
> You
> > may not allow the first of those, but it's far less likely you're
> > blocking the others.
> >
> > Dave Watts, CTO, Fig Leaf Software
> >
> > -----Original Message-----
> > From: Dave l <cflist@...>
> > Sent: Sunday, 05 July, 2009 09:46
> > To: cf-talk <cf-talk@...>
> > Subject: Re: New CF8 vulnerability
> >
> >
> > "There's nothing OS-specific about the vulnerability, as far as I
> can
> > see. "
> > I'm sure it more about a "location" that is easy to guess.. maybe
> the
> > default fk one.
> > Although them exe's are gunna have a bitch of a time running on a lt
>
> > 1gb sectioned partition with no rights on my  xserver.
> >
> > To many people probably upload to /uploads (i'm guilty) so it
> > shouldn't be to difficult.
> >
>
>

>
> Thats the trouble with bundling things. I used to think it was nice but
> really it creates these types of things.
>
> Have you seen the video of the guy hacking sites with this?
>
>
>
>
> > It's not a CF-only issue. However, CF comes bundled with FCKEditor and
> > other scripting languages don't.
> >
> > If you don't allow uploads to web accessible directories, you don't
> > have anything to worry about. However, the default install of CF 8.0.1
> > on Windows does allow uploads to web accessible directories.
> >
> > Dave Watts, CTO, Fig Leaf Software
> >
> > -----Original Message-----
> > From: Dave l <cflist@...>
> > Sent: Sunday, 05 July, 2009 13:37
> > To: cf-talk <cf-talk@...>
> > Subject: Re: New CF8 vulnerability
> >
> >
> > "If there's a default web accessible URL path for uploaded files"
> > Well that's why you don't do it. I have done it but I don't anymore.
> >
> > That's true with any server, any platform, any scripting language, I
> > don't know why they are making this out to be a cf only issue.
> >
> > I have 3 hd's,
> > #1 is the os and apps,
> > #2 is partitioned with 99.9% of it beingbu stuff and the rest is just
> > few folders that the uploads go into and run thru doing what needs to
> > be done with them.
> > #3 is web server.
> >
> > So cfm files an only be run out of the #3 hd. So if I upload the files
> > to an isolated partition with min permissions how who they run that cf
> > file? That drive isn't accessible from the web & I have no ftps or any
> > incoming connections to that drive. They could of course hack into the
> > server itself and then move the file manually to the web server drive
> > then go get it ;)
> >
> > > If there's a default web accessible URL path for uploaded files, ,
> > and
> > > that directory is configured to execute CF files, an attacker can
> > > simply upload a .cfm file, and run it to do anything CF can do:
> > > CFEXECUTE, access databases, connect to outbound FTP servers, etc.
> > You
> > > may not allow the first of those, but it's far less likely you're
> > > blocking the others.
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > >
> > > -----Original Message-----
> > > From: Dave l <cflist@...>
> > > Sent: Sunday, 05 July, 2009 09:46
> > > To: cf-talk <cf-talk@...>
> > > Subject: Re: New CF8 vulnerability
> > >
> > >
> > > "There's nothing OS-specific about the vulnerability, as far as I
> > can
> > > see. "
> > > I'm sure it more about a "location" that is easy to guess.. maybe
> > the
> > > default fk one.
> > > Although them exe's are gunna have a bitch of a time running on a lt
> >
> > > 1gb sectioned partition with no rights on my  xserver.
> > >
> > > To many people probably upload to /uploads (i'm guilty) so it
> > > shouldn't be to difficult.
> > >
> >
> >
>
>
>

>
> Is it only me, or does this patch solution look pretty bad?
>     "merge the cfide folder"
> Ack!
>
> Cheers,
> Kris
>
> > A hotfix was just released for this:
> > http://www.adobe.com/support/security/bulletins/apsb09-09.html
>
>