Re: New CF8 vulnerability

On Thursday 09 Jul 2009, Dawson, Michael wrote: I don't see your particular update level, but I do see an update level that is earlier than 77218. Cool. I cc'ed Adam so at least Adobe and Google now know :-) -- Helping to advantageously foster eligible guinine mindshares as part of the IT

Re: New CF8 vulnerability

On Wednesday 08 Jul 2009, Adrocknaphobia wrote: Sorry Kris, I wish we could have made it a little less scary, but you shouldn't worry. Note the instructions aren't the best. Our CF8.0.0 server doesn't have 'editor/filemanager/connectors/cfm', so I've done # cd

Re: New CF8 vulnerability

On Tuesday 07 Jul 2009, Dave l wrote: http://www.coldfusion.tv/viewVideo.cfm?videoID=111 There is a whole ton of 'old' errors in the application he hacks, any of which anyone could make. Without anyone of them, the 'exploit' wouldn't have worked. There's nothing in the FCKeditor plugins

Re: New CF8 vulnerability

Also, after applying it, the info. page still says: Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar Although it also says CF Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar: :opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar: Is that

RE: New CF8 vulnerability

I don't see your particular update level, but I do see an update level that is earlier than 77218. Thanks, Mike -Original Message- From: Tom Chiverton [mailto:tom.chiver...@halliwells.com] Sent: Thursday, July 09, 2009 11:03 AM To: cf-talk Subject: Re: New CF8 vulnerability Also

Re: New CF8 vulnerability

A hotfix was just released for this: http://www.adobe.com/support/security/bulletins/apsb09-09.html -Ryan ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists

Re: New CF8 vulnerability

Is it only me, or does this patch solution look pretty bad? merge the cfide folder Ack! Cheers, Kris A hotfix was just released for this: http://www.adobe.com/support/security/bulletins/apsb09-09.html ~| Want to reach

Re: New CF8 vulnerability

They're (mostly) only replacing files down deep in the fckeditor's filemanagement folder, so it's not as scary as it sounds. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of

Re: New CF8 vulnerability

Sorry Kris, I wish we could have made it a little less scary, but you shouldn't worry. There is a 'scripts' directory under the CFIDE which is where we store all of our JS libraries like ExtJS and the FCKEditor. What the merge is doing is just updating the FCKEditor folder underneath, nothing

Re: New CF8 vulnerability

Well, CF contains TONS of bundled items I've switched to railo now which doesn't have some of that stuff but it might be a good idea for adobe to implement some admin controls to be able to turn that stuff on or off. here is the video http://www.coldfusion.tv/viewVideo.cfm?videoID=111

Re: New CF8 vulnerability

On Monday 06 Jul 2009, Pete Freitag wrote: I would keep FCKeditor file upload manager disabled for now: http://www.petefreitag.com/item/705.cfm As you seem to have a good test case, is it enough to set Config.Enabled=false ? -- Helping to efficiently empower customized distributed

Re: New CF8 vulnerability

Sent: Sunday, 05 July, 2009 13:37 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability If there's a default web accessible URL path for uploaded files Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any

Re: New CF8 vulnerability

-Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 13:37 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability If there's a default web accessible URL path for uploaded files Well that's why you don't do it. I have done it but I

Re: New CF8 vulnerability

On Fri, Jul 3, 2009 at 7:32 PM, Eric Roberts ow...@threeravensconsulting.com wrote: I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed? I just got an emergency gig

Re: New CF8 vulnerability

Thats the trouble with bundling things. I used to think it was nice but really it creates these types of things. Well, CF contains TONS of bundled items; any of these items could conceivably have some unknown vulnerability. Database drivers, COM and .NET interfaces, all sorts of third-party

RE: New CF8 vulnerability

[mailto:websitema...@gmail.com] Sent: 04 July 2009 05:01 To: cf-talk Subject: Re: New CF8 vulnerability Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all

RE: New CF8 vulnerability

That is my understanding as well. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch cont...@adrianlynch.co.uk Sent: Sunday, 05 July, 2009 06:42 To: cf-talk cf-talk@houseoffusion.com Subject: RE: New CF8 vulnerability If you mean your FCKEditor is accessed

Re: New CF8 vulnerability

There's nothing OS-specific about the vulnerability, as far as I can see. I'm sure it more about a location that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many

RE: New CF8 vulnerability

the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 09:46 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability There's nothing OS-specific

Re: New CF8 vulnerability

likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 09:46 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability There's nothing OS-specific about

RE: New CF8 vulnerability

directories. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 13:37 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability If there's a default web accessible URL path for uploaded files Well that's why you

RE: New CF8 vulnerability

No, a restart shouldn't be required. Dave Watts, CTO, Fig Leaf Software -Original Message- From: David McGuigan davidmcgui...@gmail.com Sent: Saturday, 04 July, 2009 00:29 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability So do we not need to restart ColdFusion

RE: New CF8 vulnerability

I don't know, but it should be easy enough to check on your install. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Eric Roberts ow...@threeravensconsulting.com Sent: Friday, 03 July, 2009 19:32 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability

RE: New CF8 vulnerability

they are encrypted. Am I missing something? Adrian -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 03 July 2009 00:17 To: cf-talk Subject: New CF8 vulnerability You may want to check for this on any clients/projects you've worked with: http

RE: New CF8 vulnerability

I suspect you have an older version of FCKEditor deployed in that case. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch cont...@adrianlynch.co.uk Sent: Friday, 03 July, 2009 06:46 To: cf-talk cf-talk@houseoffusion.com Subject: RE: New CF8 vulnerability I

RE: New CF8 vulnerability

There's nothing OS-specific about the vulnerability, as far as I can see. Dave Watts, CTO, Fig Leaf Software -Original Message- From: James Holmes james.hol...@gmail.com Sent: Thursday, 02 July, 2009 20:56 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability

Re: New CF8 vulnerability

On Friday 03 Jul 2009, Adrian Lynch wrote: Am I missing something? You're on CF8.0.0 not 8.0.1 and so fine ? -- Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of the IT team of the year, '09 and '08 This email

Re: New CF8 vulnerability

On Friday 03 Jul 2009, Dave Watts wrote: Remediation steps available here: http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Site down, probably load. In summary: CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in a non-default, insecure

Re: New CF8 vulnerability

Dave Watts wrote: You may want to check for this on any clients/projects you've worked with: http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work? I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via

Re: New CF8 vulnerability

what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive:

Re: New CF8 vulnerability

Brian McCairn wrote: what if you want to do file upload with fckeditor? The recommendation seems to be to install the latest version of fckeditor independently of the built in ColdFusion edition and to make sure that it resides and works within properly sandboxed portions of you system so

RE: New CF8 vulnerability

Skinner h...@ilsweb.com Sent: Friday, 03 July, 2009 10:08 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability Dave Watts wrote: You may want to check for this on any clients/projects you've worked with: http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually

RE: New CF8 vulnerability

Subject: Re: New CF8 vulnerability what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http

Re: New CF8 vulnerability

Dave Watts wrote: Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. Dave Watts, CTO, Fig Leaf Software Well, that was my

RE: New CF8 vulnerability

: New CF8 vulnerability Dave Watts wrote: Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. Dave Watts, CTO, Fig Leaf Software

Re: New CF8 vulnerability

Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed? I just got an emergency gig to fix a site that was hacked because of this and we

Re: New CF8 vulnerability

Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of

Re: New CF8 vulnerability

So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts ow...@threeravensconsulting.com wrote: Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the

New CF8 vulnerability

You may want to check for this on any clients/projects you've worked with: http://isc.sans.org/diary.html?storyid=6715 Remediation steps available here: http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf

Re: New CF8 vulnerability

And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Dave Watts dwa...@figleaf.com: You may want to check for this on any clients/projects you've worked with: