There are numerous points in this chain where I could now drop in and mention the Hotfix that was released today but I think this is the best point. But before it gets lost in the weeds:
As I just posted to my blog at http://blog.joshuaadams.com/index.cfm/2009/7/9/ColdFusion-8-Security-Bulletin-Has-Been-Posted-re-FCKEditor-Security-Vulnerability, we (Adobe) have released a Hotfix for the FCKEditor Security Vulnerability that has been discussed here in this thread. Please see the accompanying Security Bulletin at http://www.adobe.com/support/security/bulletins/apsb09-09.html for more information. Okay, now to addressing Steve's message below: I hear you. If you haven't already, take a look at Terry Ryan's post from Monday at http://www.terrenceryan.com/blog/index.cfm/2009/7/6/Questions-about-the-FCKEditor-Vulnerability-in-ColdFusion. As explained there, there were some complications here, but ultimately, as Terry says of that process: "in this case it ended up biting us and you. We now know we should have released the workaround as soon as we knew about it." Sorry that didn't happen. Hopefully we'll learn from this and avoid problems of this type in the future. Josh From: [email protected] [mailto:[email protected]] On Behalf Of Steve Drucker Sent: Thursday, July 02, 2009 7:48 PM To: [email protected] Subject: Re: [ACFUG Discuss] CF Attacks in the wild Yeah, I just looked at it. Ugly. Very ugly. I can't believe Adobe didn't issue an immediate patch. On Thu, Jul 2, 2009 at 7:41 PM, Howard Fore <[email protected]<mailto:[email protected]>> wrote: Yes not older. In fact, an 8.0.1 installation is more vulnerable than 8.0.0 due to a change at line 29 of CFIDE\ scripts\ajaxFCKeditor\editor\filemanager\connectors\cfm\config.cfm -- Howard Fore, [email protected]<mailto:[email protected]> "The worthwhile problems are the ones you can really solve or help solve, the ones you can really contribute something to. ... No problem is too small or too trivial if we can really do something about it." - Richard P. Feynman On Thu, Jul 2, 2009 at 6:51 PM, John Mason <[email protected]<mailto:[email protected]>> wrote: Just a bit goofy writing in that article but this involves the richtext feature that was introduced in CF 8. So not older version at all. John Charlie Arehart wrote: I'm curious about their phrasing of "older installations of Cold Fusion applications" and FCKEditor. It was only included as of CF8 (codenamed scorpio, as mentioned in this news from the fckeditor folks: http://www.fckeditor.net/Adobe_to_embed_FCKeditor_in_ColdFusion). So it's too bad that the opening lines suggest it affects only "older installations". Also, FWIW, this blog entry by an Adobe engineer (http://www.rakshith.net/blog/?p=41), from 2007, says specifically that the file upload feature in FCKEditor was disabled by default in CF8, so it would seem only those who enabled that who would have the issue. Not diminishing the concern. Just saying the info shared by the seems rather incomplete, and potentially confusing. But as someone already added as a comment there, perhaps the real issue is the cffile upload aspect, and they point readers to Pete F's recent blog entry on that. /charlie -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Dean H. Saxe Sent: Thursday, July 02, 2009 5:14 PM To: [email protected]<mailto:[email protected]> Subject: [ACFUG Discuss] CF Attacks in the wild FYI http://bit.ly/dUdvv "There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server." I have known about this for a few months now, but had to be silent on it. Adobe hasn't patched it (yet) but the attacks are in the wild... -dhs Dean H. Saxe, CISSP, CEH [email protected]<mailto:[email protected]> "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- -- Regards, Steve Drucker CEO Fig Leaf Software http://www.figleaf.com http://training.figleaf.com Adobe, Google, Paperthin Consulting/Training/Sales ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
