I have always installed FCK instead of using the bundled version...it allows me to make sure that i have the latest version without effecting CF. I am not a fan of bundled/integrated anything...I think Office being the exception...why would you want all of your eggs in one basket?
Eric On Mon, Jul 6, 2009 at 9:13 AM, Dave l <cfl...@jamwerx.com> wrote: > > Thats the trouble with bundling things. I used to think it was nice but > really it creates these types of things. > > Have you seen the video of the guy hacking sites with this? > > > > > > It's not a CF-only issue. However, CF comes bundled with FCKEditor and > > other scripting languages don't. > > > > If you don't allow uploads to web accessible directories, you don't > > have anything to worry about. However, the default install of CF 8.0.1 > > on Windows does allow uploads to web accessible directories. > > > > Dave Watts, CTO, Fig Leaf Software > > > > -----Original Message----- > > From: Dave l <cfl...@jamwerx.com> > > Sent: Sunday, 05 July, 2009 13:37 > > To: cf-talk <cf-talk@houseoffusion.com> > > Subject: Re: New CF8 vulnerability > > > > > > "If there's a default web accessible URL path for uploaded files" > > Well that's why you don't do it. I have done it but I don't anymore. > > > > That's true with any server, any platform, any scripting language, I > > don't know why they are making this out to be a cf only issue. > > > > I have 3 hd's, > > #1 is the os and apps, > > #2 is partitioned with 99.9% of it beingbu stuff and the rest is just > > few folders that the uploads go into and run thru doing what needs to > > be done with them. > > #3 is web server. > > > > So cfm files an only be run out of the #3 hd. So if I upload the files > > to an isolated partition with min permissions how who they run that cf > > file? That drive isn't accessible from the web & I have no ftps or any > > incoming connections to that drive. They could of course hack into the > > server itself and then move the file manually to the web server drive > > then go get it ;) > > > > > If there's a default web accessible URL path for uploaded files, , > > and > > > that directory is configured to execute CF files, an attacker can > > > simply upload a .cfm file, and run it to do anything CF can do: > > > CFEXECUTE, access databases, connect to outbound FTP servers, etc. > > You > > > may not allow the first of those, but it's far less likely you're > > > blocking the others. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > > > > -----Original Message----- > > > From: Dave l <cfl...@jamwerx.com> > > > Sent: Sunday, 05 July, 2009 09:46 > > > To: cf-talk <cf-talk@houseoffusion.com> > > > Subject: Re: New CF8 vulnerability > > > > > > > > > "There's nothing OS-specific about the vulnerability, as far as I > > can > > > see. " > > > I'm sure it more about a "location" that is easy to guess.. maybe > > the > > > default fk one. > > > Although them exe's are gunna have a bitch of a time running on a lt > > > > > 1gb sectioned partition with no rights on my xserver. > > > > > > To many people probably upload to /uploads (i'm guilty) so it > > > shouldn't be to difficult. > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
