CF8 and FCKEditor Security threat

Jul 02, 2009

In a recent SANS posting, they identify a vulnerability in some ColdFusion installations. It involves the richtext feature found in cftexarea. This feature actually uses an open source application called FCKEditor. The FCKEditor has functionality to handle file uploads and file management but this feature should be disabled in the version embedded in CF server. The problem lies in that in some cases the connector that runs this feature is actually turn on.

Is your connector on? Go to..
CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm

Look at config.cfm and see if the connector is on.

If left on, this means a hacker might be able to directly call the filemanager system to upload files and take control of the server. FCKEditor has had some history on being exploited by this type of attack.

Solutions:
1) Turn off the connector so that the filemanagement and file upload features can't work.

2) To be completely safe, delete the entire filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor". The embedded version of FCKeditor for CF doesn't and really shouldn't use this feature. So removing those files completely is the safest thing to do. Be mindful that updates to CF might re-introduce those files and naturally re-open the problem.

 

Comments

charlie arehart

charlie arehart wrote on 07/02/09 7:27 PM

John, so to be clear, are you saying that the entry in that file, just inside the cfscript:

Config.Enabled = true ;

should be changed to false (if we don't do the second alternative of deleting the directory)?

Also, to be clear, this does seem to be focused on using FCKeditor outside of CF, because the CF default configuration for both 8 and 8.0.1 seem to have it disabled (via other means), according to these 2 blog entries from Adobe engineer Rakshith:

re 8.0: http://www.rakshith.net/blog/?p=41

re 8.0.1: http://www.rakshith.net/blog/?p=58

Again, to be clear, this isn't countering what you've said. Just that at least Adobe seemed to have foreseen an aspect of this problem in the default config. IT does seem they ought perhaps to give us more warning about the implications of enabling it. Maybe that will come soon.

PS John, I realize this seems ironic to ask in a security-related post, but would you consider reducing the complexity of your captcha? I explain how to do it (assuming you're using Lyla captcha) at:

http://www.carehart.org/blog/client/index.cfm/2006/10/7/lyla_captcha_simplified_xml_file
Shigeru

Shigeru wrote on 07/02/09 11:20 PM

My site was totally attacked. It added some code to all JavaScript files, HTML files and Application.cfm. The code loads a flash file which was infected by virus.
John Mason

John Mason wrote on 07/02/09 11:26 PM

Charlie,

I'm away from my computer at this moment, but the default settings at the present if you download and install CF 8.0.1 fresh will have this turn on. The settings will look like..

Config.Enabled = true ;
Config.ServerPath = "" ;

This however isn't the case with CF 8 when it first came out. I checked for this at that time. Apparently in the 8.0.1 release Adobe turn this on and that is a very serious problem as you can tell. So yes, a hacker wouldn't bother hitting your use of the cftextarea. They would just directly hit the FCKEditor filemanager system in your CFIDE/scripts to hack into the server.
John Mason

John Mason wrote on 07/02/09 11:33 PM

That second post from the Adobe engineer is quite remarkable. He basically says they turn that on in 8.0.1 to make file uploads easier to do. Well, he got that right :)

Sounds like the CF team needs a security lecture on what 'features' to not include in a release.
John Mason

John Mason wrote on 07/02/09 11:54 PM

For people wanting to use the FCKeditor tool with the file upload feature, I would advise downloading FCKEditor or any of the other similar tools and use it independently of what Adobe is trying to do here. Set the security settings up, then wrap around the FCKEditor tool a type of security login so that only authorize people can even access the CFML based filemanagement code. The default setup will actually have ASP, PHP and other language connectors. Simply take all that superfluous stuff out and just have the CFML based connectors. Have this exist with an Application scope that will require a user who hits those connectors to be a authorized and logged in as a user with rights in your specific application. The problem with how Adobe did this is that anyone with access to the CFIDE/scripts directory (which is pretty much everyone) could hit that set of CFML code and cause you a lot of problems.
Scott Pinkston

Scott Pinkston wrote on 07/03/09 2:15 AM

glad I checked back here - I knew it was off in 8 and assumed it was still off in 8.0.1. Thanks for the heads up.
Gareth Cole

Gareth Cole wrote on 07/03/09 11:04 AM

Obviously enabling the config by default is a bit surprising. I knew file uploads hadn't been implemented in CF8, but wasn't aware of this change in cf801.

However, looking through my default config.cfm, it may not be as dangerous as feared. The article makes it sound as if any filetype can be uploaded, but the default allowed list in line 103 is set to:
"7z,aiff,asf,avi,bmp,csv,doc,fla,flv,gif,gz,gzip,jpeg,jpg,mid, mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pxd,qt,ram,rar,rm, rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav, wma,wmv,xls,xml,zip"

I don't recognise all of these filetypes, but I don't know if any of these can be executed on the server?
Pete Freitag

Pete Freitag wrote on 07/03/09 11:42 AM

John thanks for posting these details. I think it may only be turned on in fresh 8.0.1 installs, with upgrades it may be turned off still. Can anyone confirm?
Brent Frye

Brent Frye wrote on 07/03/09 12:14 PM

Not entirely true, the recent wave of uploads are being done to old versions of CFWebstore, not the built in FCKEditor. Take a look at http://www.cfexecute.com/post.cfm/cfwebstore-file-upload-vulnerability they are not using the FCKEditor files at all for this attack. I've yet to see any attacks using the FCKEditor file upload - and I've looked at plenty of CF servers in the past 2 weeks getting compromised.
Benjamin Franz

Benjamin Franz wrote on 07/03/09 12:53 PM

There is a <a href="http://www.ocert.org/advisories/ocert-2009-007.html">FCKeditor remote file upload vulnerability</a> that has just been announced as well. I wouldn't be surprised if the two are related.
Benjamin Franz

Benjamin Franz wrote on 07/03/09 12:55 PM

Sigh: Make that http://www.ocert.org/advisories/ocert-2009-007.html

I didn't realize this blog 'autolinked' URLs.
John Mason

John Mason wrote on 07/03/09 2:03 PM

So yes there was the Mime-type hack early this week that Ray Camden has a post on and Pete Freitag's extensive post on how to handle file upload operations should be required reading for any developer.

Here is Ray's post..
http://www.coldfusionjedi.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

And Pete's post..
http://www.petefreitag.com/item/701.cfm

This is a different problem that appears to be in fresh CF 8.0.1 servers but let's be clear if you have CF 8 in any condition - check for this.

Gareth - so yes there is an extension check in FCKEditor, but as we have seen there are several ways to circumvent that and still make this a dangerous threat.
Chuck Weidler

Chuck Weidler wrote on 07/03/09 4:31 PM

I just checked my newest server running CF 8.0.1 and it was enabled, so I disabled it. This server had the newest ColdFusion 8.0.1, downloaded from Adobe.com, installed about 2 weeks ago.
Rakshith

Rakshith wrote on 07/04/09 5:13 AM

Hi all,

Just wanted to let you all know that Adobe is aware of this issue and we are working hard to release a hotfix for this security issue as soon as possible. Do go through this important <a href="http://blogs.adobe.com/psirt/2009/07/">post</a>; from Adobe Product Security Incident team which details how to mitigate the issue till the fix from Adobe comes out.

I agree with Gareth that the default config.cfm works with only a set of allowed extensions and not every file with any extension can be uploaded. But this definitely does not make the issue less serious.
Rakshith

Rakshith wrote on 07/04/09 5:16 AM

Sorry, here is the link for the post http://blogs.adobe.com/psirt/2009/07/
John Mason

John Mason wrote on 07/04/09 11:43 AM

Thanks Rakshith for the update.

Just wanted to make this additional note so you and the folks at Adobe can completely understand this problem.

As I looked at this more, I simply can't get past the fact that the file manager portion has no business being present in the embedded version of the editor in CF. A developer might decide to turn that feature on without considering a real problem with this logic - that without wrapping it in some type of authentication system, they are opening a very big hole in their security. I simply would advise Adobe to completely remove the file manager directory from the embedded version to be completely safe. If a developer wants to use the full features of FCKeditor - they need to implement it themselves.
Matthew Reinbold

Matthew Reinbold wrote on 07/05/09 12:35 AM

I browsed down to see if the settings were listed in the config.cfm. Found the file ok but the content could not be read in a text editor - it was encoded?

Has anyone else seen that? Is that normal?
John Mason

John Mason wrote on 07/06/09 3:28 AM

If you find that config file encrypted, then you haven't upgraded your CF server to 8.0.1 yet. Naturally, you need to do that, but when you do make certain to go back into that config file and check the connector setting.
Gareth Cole

Gareth Cole wrote on 07/06/09 10:20 AM

I've read through the various links here, and I understand now how hackers can exploit the mimetype to upload .cfm or other malicious files.

However, when I went back to looking at CF's implmentation of fckeditor, they don't seem to be relying on the mimetype.

File uploads seem to be handled in the FileUpload() function of cf_commands.cfm.

The first thing I noticed was that files are initially uploaded to the temp directory, which I presume is outside the web root (line 42).

Then, on line 73, it checks the file extension against those I mentioned earlier. If the extension isn't allowed, the file is deleted.

Only if the file has passed these check, does it get moved to a location that could be inside the webroot (line 103).

Could someone point out the hole in this process please? If I'm missing something obvious, I'd like to know so I can check my other sites for it.

Thanks
Doug

Doug wrote on 07/06/09 11:18 AM

For those that use FCKEditor outside of CF, a new patch can be downloaded: http://www.fckeditor.net/

I assume it's in response to all these postings lately, but there has been no explanation for that patch yet.

It is supposedly possible to upgrade the CF version of FCKeditor, but I've never tried it myself. I use FCKeditor as a custom tag instead.
John Mason

John Mason wrote on 07/06/09 1:04 PM

Gareth - you can email me directly for more information at mason |at| fusionlink.com. Basically any unauthorized file upload is a very dangerous threat right out of the box. The file extensive exclusion list and some of the other settings are also too wide of an opening. But the main point is that the filemanager directory shouldn't even be in the embedded version of the FCKeditor in CF8. It just shouldn't be there even to have a developer turn on.

Doug - FCKeditor goes though a variety of patches. If you do use FCK, stay on top of those notifications. I suspect this latest one isn't directly related since there was nothing the FCKeditor people can do to fix this. The problem was how Adobe implemented the editor into CF8.
John Mason

John Mason wrote on 07/06/09 2:39 PM

Gareth and Rakshith - Pete Freitag just posted that he was able to work around the extension limit and upload CFM files via the current default 8.0.1 settings.

http://www.petefreitag.com/item/705.cfm
Dave

Dave wrote on 07/08/09 1:27 PM

We are using FCKEditor for basic content management on our sites. Even though we require authentication for our authors to update site content, does this mean that we are still at risk?

Is the security threat just looking for the fckeditor directory and respective files to exploit - irrespective of whether or not we are checking for authenticated users, etc.??? Or is it just the fact that the connector is on that makes this a big problem?

What alternatives or counters are out there to deal and prevent this?
John Mason

John Mason wrote on 07/08/09 4:58 PM

Adobe has released the bug fix for this. I haven't reviewed it yet, but here is the link..

http://www.adobe.com/support/security/bulletins/apsb09-09.html
John Mason

John Mason wrote on 07/08/09 5:02 PM

Dave are you using the embedded FCKeditor in CF 8 or a standalone version?

Basically, you need to make certain that FCKeditor CFM filemanager is under an application umbrella that requires a user authentication procedure. Now, there's a certain level of trust being given to the authenticated user at that point, but that isn't a technical question as much as a policy one.
Dave

Dave wrote on 07/08/09 9:43 PM

@John,

We are using a standalone version of FCKEditor running on a site created in CF7. Currently, the FCKEditor folder is within a directory of the current site. Right now, the editor only becomes 'visible' after someone has logged on. However, it sounds like we need to do more work to secure this.
Josh Adams

Josh Adams wrote on 07/09/09 1:28 AM

Thanks for raising awareness about this, John.
Evan Ringer

Evan Ringer wrote on 07/09/09 4:39 PM

We installed the Adobe hotfix for this issue, and oddly enough it seems that in doing so it also enabled an old cf 8 bug where cfftp requires a connection name, as described here:
http://objectmix.com/cold-fusion/410324-cfftp-bug-8-0-1-a.html
I was able to get around it by providing a dummy connection name as recommended, but I'm just curious to know if anyone else had the same issue and/or if there a possibility that this new hotfix somehow undid any previous patches for this?
Carlos

Carlos wrote on 07/13/09 12:57 PM

I noticed numerous access attempts to our /filemanager/connectors.cfm directory and after a quick Google search found this post. I check our config.cfm file and the connector was indeed enabled. So my question is, how do I know if malicious files have been uploaded?
Russ michaels

Russ michaels wrote on 07/14/09 11:44 AM

Hi,

If you do not want to totally disable the filemanager then you can just disable file uploads, se emya rticle for more details.

http://russ.michaels.me.uk/index.cfm/2009/7/6/FCKEditor-Security-threat-in-ColdFusion-8

Also this is only a server wide issue if your hosts server is not secured by security sandboxes or running cf standard edition, otherwise and file access will be limited to the paths defined by the sandbox, which should be only the site itself and not the whole server.
John Mason

John Mason wrote on 07/17/09 3:53 PM

@Evan - not sure, but I didn't like the hotfix they developed for this.

@Carlos - best policy is to assume your server is has been compromised and to set up a entirely new server.

@Russ - Sandboxing will vary but normally the default CFIDE directory permission has it's own sandbox which has permissions to the entire server. Just like the WEB-INF. Sandboxing isn't really going to do much here. A hacker might still upload files to fill up the drive and cause problems in that way. Not a big fan of the Adobe hotfix for this. It's a bit of having your cake and eating it too. I would still encourage people not to have the filemanagement files in there and just to use FCKeditor independently with a proper authorization logic wrapped around it.
Andy Forex

Andy Forex wrote on 05/18/10 3:32 PM

Thanks for raising awareness about this, John.
Latest Current Affairs News

Latest Current Affairs News wrote on 02/15/11 1:31 AM

Thanks for share with is!! i bookmark this page
Coach Outlet

Coach Outlet wrote on 03/07/11 1:26 AM

Hey, appreciate it for taking the effort to do this. I like your webpage, although it took a sluggish reader like me some time to via throughout entire page and the many comments.
custom research paper

custom research paper wrote on 03/14/11 10:13 PM

the information's that you have written is very well said and sensible. to many people especially those who are engaged in business or even those that are living in a quiet life are really having a hard time with those hackers. And personally I' am really grateful with the information you have shared and to that software that you have discovered. I also made some researches about that problem, I even consulted many specialist that published famous <a href="http://www.researchpaperhelp.org">custom research papers</a> about the prevention of hacking but I failed. Now I will try your new discovery. Thank you so much.
Adipex

Adipex wrote on 03/18/11 4:49 PM

is one of the most effective and popular diet/weight loss pills currently available on the market.
Ambien

Ambien wrote on 03/23/11 4:54 PM

works better than any other sleeping pill I tried and no side effects so far, so I am totally satisfied with this one.

Write your comment



(it will not be displayed)