Re: New CF8 vulnerability
On Thursday 09 Jul 2009, Dawson, Michael wrote: > I don't see your particular update level, but I do see an update level > that is earlier than 77218. Cool. I cc'ed Adam so at least Adobe and Google now know :-) -- Helping to advantageously foster eligible guinine mindshares as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324420 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
I don't see your particular update level, but I do see an update level that is earlier than 77218. Thanks, Mike -Original Message- From: Tom Chiverton [mailto:tom.chiver...@halliwells.com] Sent: Thursday, July 09, 2009 11:03 AM To: cf-talk Subject: Re: New CF8 vulnerability Also, after applying it, the info. page still says: Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar Although it also says CF Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar: :opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar: Is that what everyone else sees ? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324395 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Also, after applying it, the info. page still says: Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar Although it also says CF Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar: :opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar: Is that what everyone else sees ? -- Helping to evangelistically promote functionalities as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324393 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
On Tuesday 07 Jul 2009, Dave l wrote: > http://www.coldfusion.tv/viewVideo.cfm?videoID=111 There is a whole ton of 'old' errors in the application he hacks, any of which anyone could make. Without anyone of them, the 'exploit' wouldn't have worked. There's nothing in the FCKeditor plugins themselves that are wrong - if you rolled your own upload script this could still happen ! For instance * user file uploads to a web accessible directory * not checking file type of uploaded files after the upload * full exception output left on -- Helping to dramatically utilize methodologies as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324379 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
On Wednesday 08 Jul 2009, Adrocknaphobia wrote:
> Sorry Kris, I wish we could have made it a little less scary, but you
> shouldn't worry.
Note the instructions aren't the best.
Our CF8.0.0 server doesn't have 'editor/filemanager/connectors/cfm', so I've
done
# cd ../CFIDE/scripts/ajax/FCKeditor/editor/filemanager
# find . -name '*cfm' -exec rm {} \;
instead
For CF8.0.1, step 1 says to unzip the hot fix, don't, just upload the .jar.
--
Helping to evangelistically promote functionalities as part of the IT team of
the year, '09 and '08
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and
Wales under registered number OC307980 whose registered office address is at
Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list
of members is available for inspection at the registered office together with a
list of those non members who are referred to as partners. We use the word
partner to refer to a member of the LLP, or an employee or consultant with
equivalent standing and qualifications. Regulated by the Solicitors Regulation
Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform
any person other than Halliwells LLP or the addressee of its existence or
contents. If you have received this email in error please delete it and notify
Halliwells LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit www.halliwells.co
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324378
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Sorry Kris, I wish we could have made it a little less scary, but you shouldn't worry. There is a 'scripts' directory under the CFIDE which is where we store all of our JS libraries like ExtJS and the FCKEditor. What the merge is doing is just updating the FCKEditor folder underneath, nothing more. If you are still worried, just make a copy of the entire CFIDE directory for a backup. -Adam On Wed, Jul 8, 2009 at 5:27 PM, Kris Jones wrote: > > Is it only me, or does this patch solution look pretty bad? > "merge the cfide folder" > Ack! > > Cheers, > Kris > > > A hotfix was just released for this: > > http://www.adobe.com/support/security/bulletins/apsb09-09.html > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324358 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
They're (mostly) only replacing files down deep in the fckeditor's filemanagement folder, so it's not as scary as it sounds. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324356 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Is it only me, or does this patch solution look pretty bad? "merge the cfide folder" Ack! Cheers, Kris > A hotfix was just released for this: > http://www.adobe.com/support/security/bulletins/apsb09-09.html ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324354 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
A hotfix was just released for this: http://www.adobe.com/support/security/bulletins/apsb09-09.html -Ryan ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324352 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
On Monday 06 Jul 2009, Pete Freitag wrote: > I would keep FCKeditor file upload manager disabled for now: > http://www.petefreitag.com/item/705.cfm As you seem to have a good test case, is it enough to set Config.Enabled=false ? -- Helping to efficiently empower customized distributed eye-catching magnetic niches as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324292 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
"Well, CF contains TONS of bundled items" I've switched to railo now which doesn't have some of that stuff but it might be a good idea for adobe to implement some admin controls to be able to turn that stuff on or off. here is the video http://www.coldfusion.tv/viewVideo.cfm?videoID=111 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324278 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
> Thats the trouble with bundling things. I used to think it was nice but > really it creates > these types of things. Well, CF contains TONS of bundled items; any of these items could conceivably have some unknown vulnerability. Database drivers, COM and .NET interfaces, all sorts of third-party libraries, etc, etc. > Have you seen the video of the guy hacking sites with this? No. But it's a pretty easy thing, once you know how the vulnerability works, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
On Fri, Jul 3, 2009 at 7:32 PM, Eric Roberts < ow...@threeravensconsulting.com> wrote: > > I know the vulnerability was in older versions of FCKEditor...if one were > to > install and use the current version, does it still have the vulnerability > or > has that been fixed? I just got an emergency gig to fix a site that was > hacked because of this and we need to know if it is safe to do this or just > keep FCKEditor disabled inthe meantime. > I would keep FCKeditor file upload manager disabled for now: http://www.petefreitag.com/item/705.cfm -- Pete Freitag http://foundeo.com/security/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
I have always installed FCK instead of using the bundled version...it allows me to make sure that i have the latest version without effecting CF. I am not a fan of bundled/integrated anything...I think Office being the exception...why would you want all of your eggs in one basket? Eric On Mon, Jul 6, 2009 at 9:13 AM, Dave l wrote: > > Thats the trouble with bundling things. I used to think it was nice but > really it creates these types of things. > > Have you seen the video of the guy hacking sites with this? > > > > > > It's not a CF-only issue. However, CF comes bundled with FCKEditor and > > other scripting languages don't. > > > > If you don't allow uploads to web accessible directories, you don't > > have anything to worry about. However, the default install of CF 8.0.1 > > on Windows does allow uploads to web accessible directories. > > > > Dave Watts, CTO, Fig Leaf Software > > > > -Original Message- > > From: Dave l > > Sent: Sunday, 05 July, 2009 13:37 > > To: cf-talk > > Subject: Re: New CF8 vulnerability > > > > > > "If there's a default web accessible URL path for uploaded files" > > Well that's why you don't do it. I have done it but I don't anymore. > > > > That's true with any server, any platform, any scripting language, I > > don't know why they are making this out to be a cf only issue. > > > > I have 3 hd's, > > #1 is the os and apps, > > #2 is partitioned with 99.9% of it beingbu stuff and the rest is just > > few folders that the uploads go into and run thru doing what needs to > > be done with them. > > #3 is web server. > > > > So cfm files an only be run out of the #3 hd. So if I upload the files > > to an isolated partition with min permissions how who they run that cf > > file? That drive isn't accessible from the web & I have no ftps or any > > incoming connections to that drive. They could of course hack into the > > server itself and then move the file manually to the web server drive > > then go get it ;) > > > > > If there's a default web accessible URL path for uploaded files, , > > and > > > that directory is configured to execute CF files, an attacker can > > > simply upload a .cfm file, and run it to do anything CF can do: > > > CFEXECUTE, access databases, connect to outbound FTP servers, etc. > > You > > > may not allow the first of those, but it's far less likely you're > > > blocking the others. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > > > > -Original Message- > > > From: Dave l > > > Sent: Sunday, 05 July, 2009 09:46 > > > To: cf-talk > > > Subject: Re: New CF8 vulnerability > > > > > > > > > "There's nothing OS-specific about the vulnerability, as far as I > > can > > > see. " > > > I'm sure it more about a "location" that is easy to guess.. maybe > > the > > > default fk one. > > > Although them exe's are gunna have a bitch of a time running on a lt > > > > > 1gb sectioned partition with no rights on my xserver. > > > > > > To many people probably upload to /uploads (i'm guilty) so it > > > shouldn't be to difficult. > > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Thats the trouble with bundling things. I used to think it was nice but really it creates these types of things. Have you seen the video of the guy hacking sites with this? > It's not a CF-only issue. However, CF comes bundled with FCKEditor and > other scripting languages don't. > > If you don't allow uploads to web accessible directories, you don't > have anything to worry about. However, the default install of CF 8.0.1 > on Windows does allow uploads to web accessible directories. > > Dave Watts, CTO, Fig Leaf Software > > -Original Message- > From: Dave l > Sent: Sunday, 05 July, 2009 13:37 > To: cf-talk > Subject: Re: New CF8 vulnerability > > > "If there's a default web accessible URL path for uploaded files" > Well that's why you don't do it. I have done it but I don't anymore. > > That's true with any server, any platform, any scripting language, I > don't know why they are making this out to be a cf only issue. > > I have 3 hd's, > #1 is the os and apps, > #2 is partitioned with 99.9% of it beingbu stuff and the rest is just > few folders that the uploads go into and run thru doing what needs to > be done with them. > #3 is web server. > > So cfm files an only be run out of the #3 hd. So if I upload the files > to an isolated partition with min permissions how who they run that cf > file? That drive isn't accessible from the web & I have no ftps or any > incoming connections to that drive. They could of course hack into the > server itself and then move the file manually to the web server drive > then go get it ;) > > > If there's a default web accessible URL path for uploaded files, , > and > > that directory is configured to execute CF files, an attacker can > > simply upload a .cfm file, and run it to do anything CF can do: > > CFEXECUTE, access databases, connect to outbound FTP servers, etc. > You > > may not allow the first of those, but it's far less likely you're > > blocking the others. > > > > Dave Watts, CTO, Fig Leaf Software > > > > -Original Message- > > From: Dave l > > Sent: Sunday, 05 July, 2009 09:46 > > To: cf-talk > > Subject: Re: New CF8 vulnerability > > > > > > "There's nothing OS-specific about the vulnerability, as far as I > can > > see. " > > I'm sure it more about a "location" that is easy to guess.. maybe > the > > default fk one. > > Although them exe's are gunna have a bitch of a time running on a lt > > > 1gb sectioned partition with no rights on my xserver. > > > > To many people probably upload to /uploads (i'm guilty) so it > > shouldn't be to difficult. > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
It's not a CF-only issue. However, CF comes bundled with FCKEditor and other scripting languages don't. If you don't allow uploads to web accessible directories, you don't have anything to worry about. However, the default install of CF 8.0.1 on Windows does allow uploads to web accessible directories. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l Sent: Sunday, 05 July, 2009 13:37 To: cf-talk Subject: Re: New CF8 vulnerability "If there's a default web accessible URL path for uploaded files" Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web & I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) > If there's a default web accessible URL path for uploaded files, , and > that directory is configured to execute CF files, an attacker can > simply upload a .cfm file, and run it to do anything CF can do: > CFEXECUTE, access databases, connect to outbound FTP servers, etc. You > may not allow the first of those, but it's far less likely you're > blocking the others. > > Dave Watts, CTO, Fig Leaf Software > > -Original Message- > From: Dave l > Sent: Sunday, 05 July, 2009 09:46 > To: cf-talk > Subject: Re: New CF8 vulnerability > > > "There's nothing OS-specific about the vulnerability, as far as I can > see. " > I'm sure it more about a "location" that is easy to guess.. maybe the > default fk one. > Although them exe's are gunna have a bitch of a time running on a lt > 1gb sectioned partition with no rights on my xserver. > > To many people probably upload to /uploads (i'm guilty) so it > shouldn't be to difficult. > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
"If there's a default web accessible URL path for uploaded files" Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web & I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) > If there's a default web accessible URL path for uploaded files, , and > that directory is configured to execute CF files, an attacker can > simply upload a .cfm file, and run it to do anything CF can do: > CFEXECUTE, access databases, connect to outbound FTP servers, etc. You > may not allow the first of those, but it's far less likely you're > blocking the others. > > Dave Watts, CTO, Fig Leaf Software > > -Original Message- > From: Dave l > Sent: Sunday, 05 July, 2009 09:46 > To: cf-talk > Subject: Re: New CF8 vulnerability > > > "There's nothing OS-specific about the vulnerability, as far as I can > see. " > I'm sure it more about a "location" that is easy to guess.. maybe the > default fk one. > Although them exe's are gunna have a bitch of a time running on a lt > 1gb sectioned partition with no rights on my xserver. > > To many people probably upload to /uploads (i'm guilty) so it > shouldn't be to difficult. > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files, , and that directory is configured to execute CF files, an attacker can simply upload a .cfm file, and run it to do anything CF can do: CFEXECUTE, access databases, connect to outbound FTP servers, etc. You may not allow the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l Sent: Sunday, 05 July, 2009 09:46 To: cf-talk Subject: Re: New CF8 vulnerability "There's nothing OS-specific about the vulnerability, as far as I can see. " I'm sure it more about a "location" that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
"There's nothing OS-specific about the vulnerability, as far as I can see. " I'm sure it more about a "location" that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324224 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
That is my understanding as well. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch Sent: Sunday, 05 July, 2009 06:42 To: cf-talk Subject: RE: New CF8 vulnerability If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian > -Original Message- > From: Matt Robertson [mailto:websitema...@gmail.com] > Sent: 04 July 2009 05:01 > To: cf-talk > Subject: Re: New CF8 vulnerability > > > Supposedly on July 6 a new version will be released that is at least > better, if not 'fixed'. > > Kind of glad I put mine behind logins from the get-go. I am guessing > that this affects all FCKEditor installations and not just CF8's > cftextarea. > > Way back when, an earlier cf connector was so full of holes I wound up > rewriting it with another developer's help and posting it on their > forum. Guess that since then its code got a lot more complex but not > a lot better. > > -- > -...@robertson-- > Janitor, The Robertson Team > mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324223 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian > -Original Message- > From: Matt Robertson [mailto:websitema...@gmail.com] > Sent: 04 July 2009 05:01 > To: cf-talk > Subject: Re: New CF8 vulnerability > > > Supposedly on July 6 a new version will be released that is at least > better, if not 'fixed'. > > Kind of glad I put mine behind logins from the get-go. I am guessing > that this affects all FCKEditor installations and not just CF8's > cftextarea. > > Way back when, an earlier cf connector was so full of holes I wound up > rewriting it with another developer's help and posting it on their > forum. Guess that since then its code got a lot more complex but not > a lot better. > > -- > -...@robertson-- > Janitor, The Robertson Team > mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324222 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New CF8 vulnerability
I don't know, but it should be easy enough to check on your install. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Eric Roberts Sent: Friday, 03 July, 2009 19:32 To: cf-talk Subject: Re: New CF8 vulnerability Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed? I just got an emergency gig to fix a site that was hacked because of this and we need to know if it is safe to do this or just keep FCKEditor disabled inthe meantime. Eric On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324217 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New CF8 vulnerability
No, a restart shouldn't be required. Dave Watts, CTO, Fig Leaf Software -Original Message- From: David McGuigan Sent: Saturday, 04 July, 2009 00:29 To: cf-talk Subject: Re: New CF8 vulnerability So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts < ow...@threeravensconsulting.com> wrote: > > Dave (or anyone else with information), > > I know the vulnerability was in older versions of FCKEditor...if one were > to > install and use the current version, does it still have the vulnerability > or > has that been fixed? I just got an emergency gig to fix a site that was > hacked because of this and we need to know if it is safe to do this or just > keep FCKEditor disabled inthe meantime. > > Eric > > > On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > > > > You may want to check for this on any clients/projects you've worked > with: > > http://isc.sans.org/diary.html?storyid=6715 > > > > Remediation steps available here: > > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > > > Fig Leaf Software provides the highest caliber vendor-authorized > > instruction at our training centers in Washington DC, Atlanta, > > Chicago, Baltimore, Northern Virginia, or on-site at your location. > > Visit http://training.figleaf.com/ for more information! > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts < ow...@threeravensconsulting.com> wrote: > > Dave (or anyone else with information), > > I know the vulnerability was in older versions of FCKEditor...if one were > to > install and use the current version, does it still have the vulnerability > or > has that been fixed? I just got an emergency gig to fix a site that was > hacked because of this and we need to know if it is safe to do this or just > keep FCKEditor disabled inthe meantime. > > Eric > > > On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > > > > You may want to check for this on any clients/projects you've worked > with: > > http://isc.sans.org/diary.html?storyid=6715 > > > > Remediation steps available here: > > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > > > Fig Leaf Software provides the highest caliber vendor-authorized > > instruction at our training centers in Washington DC, Atlanta, > > Chicago, Baltimore, Northern Virginia, or on-site at your location. > > Visit http://training.figleaf.com/ for more information! > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of holes I wound up rewriting it with another developer's help and posting it on their forum. Guess that since then its code got a lot more complex but not a lot better. -- -...@robertson-- Janitor, The Robertson Team mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed? I just got an emergency gig to fix a site that was hacked because of this and we need to know if it is safe to do this or just keep FCKEditor disabled inthe meantime. Eric On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
Sorry for omitting the actual URLs, but I'm sending all this from my phone. And CF doesn't run on Windows Mobile! Dave Watts, CTO, Fig Leaf Software -Original Message- From: Ian Skinner Sent: Friday, 03 July, 2009 13:17 To: cf-talk Subject: Re: New CF8 vulnerability Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual > CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in > its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them. But I realize I may not be using the best URL's for my testing. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324207 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual > CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in > its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them. But I realize I may not be using the best URL's for my testing. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
You should take the same precautions you would with any file upload. Don't allow uploads to web-accessible directories that allow code execution on the server. Better yet, don't allow uploads to web-accessible directories at all, so that your server can't unwittingly host client-side malware. Don't run CF with root credentials, so that successfully uploaded CF scripts can't do bad things to your system. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Brian McCairn Sent: Friday, 03 July, 2009 10:38 To: cf-talk Subject: Re: New CF8 vulnerability what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New CF8 vulnerability
Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Ian Skinner Sent: Friday, 03 July, 2009 10:08 To: cf-talk Subject: Re: New CF8 vulnerability Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work? I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something? Is that correct? If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Brian McCairn wrote: > what if you want to do file upload with fckeditor? The recommendation seems to be to install the latest version of fckeditor independently of the built in ColdFusion edition and to make sure that it resides and works within properly sandboxed portions of you system so that permission escalation is much harder to accomplish. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work? I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something? Is that correct? If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324192 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
On Friday 03 Jul 2009, Dave Watts wrote: > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Site down, probably load. In summary: CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in a non-default, insecure state. Find config.cfm in ../CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm and change 'Config.enabled' to false at the top. Then review if you need any of the features you just turned off and take it from there. -- Helping to vitalistically compete cross-platform mindshares as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324184 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
On Friday 03 Jul 2009, Adrian Lynch wrote: > Am I missing something? You're on CF8.0.0 not 8.0.1 and so fine ? -- Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
There's nothing OS-specific about the vulnerability, as far as I can see. Dave Watts, CTO, Fig Leaf Software -Original Message- From: James Holmes Sent: Thursday, 02 July, 2009 20:56 To: cf-talk Subject: Re: New CF8 vulnerability And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Dave Watts : > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324182 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
I suspect you have an older version of FCKEditor deployed in that case. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch Sent: Friday, 03 July, 2009 06:46 To: cf-talk Subject: RE: New CF8 vulnerability I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian > -Original Message- > From: Dave Watts [mailto:dwa...@figleaf.com] > Sent: 03 July 2009 00:17 > To: cf-talk > Subject: New CF8 vulnerability > > > You may want to check for this on any clients/projects you've worked > with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security- > threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324181 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian > -Original Message- > From: Dave Watts [mailto:dwa...@figleaf.com] > Sent: 03 July 2009 00:17 > To: cf-talk > Subject: New CF8 vulnerability > > > You may want to check for this on any clients/projects you've worked > with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security- > threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324179 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Dave Watts : > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324174 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
