On Thursday 09 Jul 2009, Dawson, Michael wrote:
I don't see your particular update level, but I do see an update level
that is earlier than 77218.
Cool. I cc'ed Adam so at least Adobe and Google now know :-)
--
Helping to advantageously foster eligible guinine mindshares as part of the IT
On Wednesday 08 Jul 2009, Adrocknaphobia wrote:
Sorry Kris, I wish we could have made it a little less scary, but you
shouldn't worry.
Note the instructions aren't the best.
Our CF8.0.0 server doesn't have 'editor/filemanager/connectors/cfm', so I've
done
# cd
On Tuesday 07 Jul 2009, Dave l wrote:
http://www.coldfusion.tv/viewVideo.cfm?videoID=111
There is a whole ton of 'old' errors in the application he hacks, any of which
anyone could make. Without anyone of them, the 'exploit' wouldn't have
worked.
There's nothing in the FCKeditor plugins
Also, after applying it, the info. page still says:
Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar
Although it also says
CF
Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar:
:opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar:
Is that
I don't see your particular update level, but I do see an update level
that is earlier than 77218.
Thanks,
Mike
-Original Message-
From: Tom Chiverton [mailto:tom.chiver...@halliwells.com]
Sent: Thursday, July 09, 2009 11:03 AM
To: cf-talk
Subject: Re: New CF8 vulnerability
Also
A hotfix was just released for this:
http://www.adobe.com/support/security/bulletins/apsb09-09.html
-Ryan
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Is it only me, or does this patch solution look pretty bad?
merge the cfide folder
Ack!
Cheers,
Kris
A hotfix was just released for this:
http://www.adobe.com/support/security/bulletins/apsb09-09.html
~|
Want to reach
They're (mostly) only replacing files down deep in the fckeditor's
filemanagement folder, so it's not as scary as it sounds.
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of
Sorry Kris, I wish we could have made it a little less scary, but you
shouldn't worry. There is a 'scripts' directory under the CFIDE which is
where we store all of our JS libraries like ExtJS and the FCKEditor. What
the merge is doing is just updating the FCKEditor folder underneath, nothing
Well, CF contains TONS of bundled items
I've switched to railo now which doesn't have some of that stuff but it might
be a good idea for adobe to implement some admin controls to be able to turn
that stuff on or off.
here is the video
http://www.coldfusion.tv/viewVideo.cfm?videoID=111
On Monday 06 Jul 2009, Pete Freitag wrote:
I would keep FCKeditor file upload manager disabled for now:
http://www.petefreitag.com/item/705.cfm
As you seem to have a good test case, is it enough to set
Config.Enabled=false ?
--
Helping to efficiently empower customized distributed
Sent: Sunday, 05 July, 2009 13:37
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files
Well that's why you don't do it. I have done it but I don't anymore.
That's true with any server, any platform, any
-Original Message-
From: Dave l cfl...@jamwerx.com
Sent: Sunday, 05 July, 2009 13:37
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files
Well that's why you don't do it. I have done it but I
On Fri, Jul 3, 2009 at 7:32 PM, Eric Roberts
ow...@threeravensconsulting.com wrote:
I know the vulnerability was in older versions of FCKEditor...if one were
to
install and use the current version, does it still have the vulnerability
or
has that been fixed? I just got an emergency gig
Thats the trouble with bundling things. I used to think it was nice but
really it creates
these types of things.
Well, CF contains TONS of bundled items; any of these items could
conceivably have some unknown vulnerability. Database drivers, COM and
.NET interfaces, all sorts of third-party
[mailto:websitema...@gmail.com]
Sent: 04 July 2009 05:01
To: cf-talk
Subject: Re: New CF8 vulnerability
Supposedly on July 6 a new version will be released that is at least
better, if not 'fixed'.
Kind of glad I put mine behind logins from the get-go. I am guessing
that this affects all
That is my understanding as well.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Adrian Lynch cont...@adrianlynch.co.uk
Sent: Sunday, 05 July, 2009 06:42
To: cf-talk cf-talk@houseoffusion.com
Subject: RE: New CF8 vulnerability
If you mean your FCKEditor is accessed
There's nothing OS-specific about the vulnerability, as far as I can see.
I'm sure it more about a location that is easy to guess.. maybe the default
fk one.
Although them exe's are gunna have a bitch of a time running on a lt 1gb
sectioned partition with no rights on my xserver.
To many
the first of those, but
it's far less likely you're blocking the others.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Dave l cfl...@jamwerx.com
Sent: Sunday, 05 July, 2009 09:46
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
There's nothing OS-specific
likely you're
blocking the others.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Dave l cfl...@jamwerx.com
Sent: Sunday, 05 July, 2009 09:46
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
There's nothing OS-specific about
directories.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Dave l cfl...@jamwerx.com
Sent: Sunday, 05 July, 2009 13:37
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files
Well that's why you
No, a restart shouldn't be required.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: David McGuigan davidmcgui...@gmail.com
Sent: Saturday, 04 July, 2009 00:29
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
So do we not need to restart ColdFusion
I don't know, but it should be easy enough to check on your install.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Eric Roberts ow...@threeravensconsulting.com
Sent: Friday, 03 July, 2009 19:32
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
they are encrypted.
Am I missing something?
Adrian
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 03 July 2009 00:17
To: cf-talk
Subject: New CF8 vulnerability
You may want to check for this on any clients/projects you've worked
with:
http
I suspect you have an older version of FCKEditor deployed in that case.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: Adrian Lynch cont...@adrianlynch.co.uk
Sent: Friday, 03 July, 2009 06:46
To: cf-talk cf-talk@houseoffusion.com
Subject: RE: New CF8 vulnerability
I
There's nothing OS-specific about the vulnerability, as far as I can see.
Dave Watts, CTO, Fig Leaf Software
-Original Message-
From: James Holmes james.hol...@gmail.com
Sent: Thursday, 02 July, 2009 20:56
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
On Friday 03 Jul 2009, Adrian Lynch wrote:
Am I missing something?
You're on CF8.0.0 not 8.0.1 and so fine ?
--
Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of
the IT team of the year, '09 and '08
This email
On Friday 03 Jul 2009, Dave Watts wrote:
Remediation steps available here:
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
Site down, probably load.
In summary:
CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in
a non-default, insecure
Dave Watts wrote:
You may want to check for this on any clients/projects you've worked with:
http://isc.sans.org/diary.html?storyid=6715
How does this exploit actually work? I presume it is somebody directly
accessing the exposed, vulnerable, exploitable files via
what if you want to do file upload with fckeditor?
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
Brian McCairn wrote:
what if you want to do file upload with fckeditor?
The recommendation seems to be to install the latest version of
fckeditor independently of the built in ColdFusion edition and to make
sure that it resides and works within properly sandboxed portions of you
system so
Skinner h...@ilsweb.com
Sent: Friday, 03 July, 2009 10:08
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: New CF8 vulnerability
Dave Watts wrote:
You may want to check for this on any clients/projects you've worked with:
http://isc.sans.org/diary.html?storyid=6715
How does this exploit actually
Subject: Re: New CF8 vulnerability
what if you want to do file upload with fckeditor?
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http
Dave Watts wrote:
Yes, I'm pretty certain that's how it works. You may want to test the actual
CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in
its configuration to ensure that some URLs work in any case.
Dave Watts, CTO, Fig Leaf Software
Well, that was my
: New CF8 vulnerability
Dave Watts wrote:
Yes, I'm pretty certain that's how it works. You may want to test the actual
CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in
its configuration to ensure that some URLs work in any case.
Dave Watts, CTO, Fig Leaf Software
Dave (or anyone else with information),
I know the vulnerability was in older versions of FCKEditor...if one were to
install and use the current version, does it still have the vulnerability or
has that been fixed? I just got an emergency gig to fix a site that was
hacked because of this and we
Supposedly on July 6 a new version will be released that is at least
better, if not 'fixed'.
Kind of glad I put mine behind logins from the get-go. I am guessing
that this affects all FCKEditor installations and not just CF8's
cftextarea.
Way back when, an earlier cf connector was so full of
So do we not need to restart ColdFusion after making this change?
On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts
ow...@threeravensconsulting.com wrote:
Dave (or anyone else with information),
I know the vulnerability was in older versions of FCKEditor...if one were
to
install and use the
You may want to check for this on any clients/projects you've worked with:
http://isc.sans.org/diary.html?storyid=6715
Remediation steps available here:
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf
And that's why our prod servers are read only (and Linux).
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
2009/7/3 Dave Watts dwa...@figleaf.com:
You may want to check for this on any clients/projects you've worked with:
40 matches
Mail list logo