To paraphrase everyone's favorite movie...
"The needs of the many outweight the needs of the few... Or the one"
And notwithstanding the events of the last week...
"I have been... And always shall be... Your friend"
Regards,
Steve Drucker
Founder
Fig Leaf Software
http://www.figleaf.com
http://training.figleaf.com
On Jul 9, 2009, at 2:44 AM, Josh Adams <[email protected]> wrote:
There are numerous points in this chain where I could now drop in
and mention the Hotfix that was released today but I think this is
the best point. But before it gets lost in the weeds:
As I just posted to my blog at http://blog.joshuaadams.com/index.cfm/2009/7/9/ColdFusion-8-Security-Bulletin-Has-Been-Posted-re-FCKEditor-Security-Vulnerability
, we (Adobe) have released a Hotfix for the FCKEditor Security
Vulnerability that has been discussed here in this thread. Please
see the accompanying Security Bulletin at http://www.adobe.com/support/security/bulletins/apsb09-09.html
for more information.
Okay, now to addressing Steve’s message below: I hear you. If you
haven’t already, take a look at Terry Ryan’s post from Monday at http://www.terrenceryan.com/blog/index.cfm/2009/7/6/Questions-about-the-FCKEditor-Vulnerability-in-ColdFu
sion. As explained there, there were some complications here, but u
ltimately, as Terry says of that process: “in this case it ended up
biting us and you. We now know we should have released the workarou
nd as soon as we knew about it.” Sorry that didn’t happen.
Hopefully we’ll learn from this and avoid problems of this type in t
he future.
Josh
From: [email protected] [mailto:[email protected]] On Behalf Of Steve
Drucker
Sent: Thursday, July 02, 2009 7:48 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] CF Attacks in the wild
Yeah, I just looked at it.
Ugly. Very ugly.
I can't believe Adobe didn't issue an immediate patch.
On Thu, Jul 2, 2009 at 7:41 PM, Howard Fore <[email protected]>
wrote:
Yes not older. In fact, an 8.0.1 installation is more vulnerable
than 8.0.0 due to a change at line 29 of CFIDE\
scripts\ajaxFCKeditor\editor\filemanager\connectors\cfm\config.cfm
--
Howard Fore, [email protected]
"The worthwhile problems are the ones you can really solve or help
solve, the ones you can really contribute something to. ... No
problem is too small or too trivial if we can really do something
about it." - Richard P. Feynman
On Thu, Jul 2, 2009 at 6:51 PM, John Mason <[email protected]>
wrote:
Just a bit goofy writing in that article but this involves the
richtext feature that was introduced in CF 8. So not older version
at all.
John
Charlie Arehart wrote:
I'm curious about their phrasing of "older installations of Cold
Fusion
applications" and FCKEditor. It was only included as of CF8 (codenamed
scorpio, as mentioned in this news from the fckeditor folks:
http://www.fckeditor.net/Adobe_to_embed_FCKeditor_in_ColdFusion). So
it's
too bad that the opening lines suggest it affects only "older
installations".
Also, FWIW, this blog entry by an Adobe engineer
(http://www.rakshith.net/blog/?p=41), from 2007, says specifically
that the
file upload feature in FCKEditor was disabled by default in CF8, so
it would
seem only those who enabled that who would have the issue.
Not diminishing the concern. Just saying the info shared by the
seems rather
incomplete, and potentially confusing. But as someone already added
as a
comment there, perhaps the real issue is the cffile upload aspect,
and they
point readers to Pete F's recent blog entry on that.
/charlie
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
Saxe
Sent: Thursday, July 02, 2009 5:14 PM
To: [email protected]
Subject: [ACFUG Discuss] CF Attacks in the wild
FYI http://bit.ly/dUdvv
"There have been a high number of Cold Fusion web sites being
compromised in last 24 hours. We received several e-mails about this.
It appears that the attackers are exploiting web sites which have
older installations of some Cold Fusion applications. These
applications have vulnerable installations of FCKEditor, which is a
very popular HTML text editor, or CKFinder, which is an Ajax file
manager. The vulnerable installations allow the attackers to upload
ASP or Cold Fusion shells which further allow them to take complete
control over the server."
I have known about this for a few months now, but had to be silent on
it. Adobe hasn't patched it (yet) but the attacks are in the wild...
-dhs
Dean H. Saxe, CISSP, CEH
[email protected]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
Regards,
Steve Drucker
CEO
Fig Leaf Software
http://www.figleaf.com
http://training.figleaf.com
Adobe, Google, Paperthin Consulting/Training/Sales
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
