Web Images Videos Maps News Shopping Google Mail more »
Recently Visited Groups | Help | Sign in
Google Groups Home
Scottish ColdFusion User Group
Home
+ new post
Pages
Files
About this group
Join this group
file upload vulnerability in CF801
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   4 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Follow-up To:
Add Cc | Add Follow-up to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers that you hear
 
Gareth Cole  
View profile   Translate to Translated (View Original)
 More options 3 July, 15:41
From: "Gareth Cole" <gareth.c...@esus.ie>
Date: Fri, 3 Jul 2009 15:41:28 +0100
Local: Fri 3 July 2009 15:41
Subject: file upload vulnerability in CF801
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi Folks,

Just in case you haven't seen this yet, there's a security vulnerability in
the CF801 updater:

http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/

Some genius at adobe decided to enable file uploads by default in the
embedded fckeditor. Unfortunately, this allows hackers to upload any files
they want on to your system, and take control of your server.

The link has full details and remedy.


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message, you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Stephen Moretti  
View profile   Translate to Translated (View Original)
 More options 5 July, 23:40
From: Stephen Moretti <stephen.more...@gmail.com>
Date: Sun, 5 Jul 2009 23:40:53 +0100
Local: Sun 5 July 2009 23:40
Subject: Re: [SCFUG] file upload vulnerability in CF801
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Just so you are aware its not a ColdFusion vunerability.  Its a general
FCKEditor vulnerability, regardless of middleware that it sits on.

2009/7/3 Gareth Cole <gareth.c...@esus.ie>

--
Stephen Moretti
Blog : http://nil.checksite.co.uk/
Twitter : http://twitter.com/mr_nil
EE: http://beta.experts-exchange.com/M_1167123.html

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message, you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Gareth Cole  
View profile   Translate to Translated (View Original)
 More options 6 July, 16:55
From: "Gareth Cole" <gareth.c...@esus.ie>
Date: Mon, 6 Jul 2009 16:55:04 +0100
Local: Mon 6 July 2009 16:55
Subject: RE: [SCFUG] Re: file upload vulnerability in CF801
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi Stephen,

I'd argue that it is a CF vulnerability.

With manual installs of fckeditor, you have to explicitly enable file
uploads in the config, and at this point you should be aware that you should
implement some form of authentication.

With CF8.01, it automatically enables un-authenticated file upload
functionality without making you aware of this. Most people will have just
installed CF8.01 without realizing this.

Adobe seem to agree: http://blogs.adobe.com/psirt/2009/07/


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message, you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Gareth Cole  
View profile   Translate to Translated (View Original)
 More options 10 July, 12:08
From: "Gareth Cole" <gareth.c...@esus.ie>
Date: Fri, 10 Jul 2009 12:08:35 +0100
Local: Fri 10 July 2009 12:08
Subject: RE: [SCFUG] file upload vulnerability in CF801
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Adobe have released a hotfix now:

http://www.adobe.com/support/security/bulletins/apsb09-09.html

Quite a few servers have already been exploited by the issue, so it's worth
installing.


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message, you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google