|
|
Scottish ColdFusion User Group |
Hi Stephen,
I'd argue that it is a CF vulnerability.
With manual installs of fckeditor, you have to explicitly enable file
With CF8.01, it automatically enables un-authenticated file upload
Adobe seem to agree: http://blogs.adobe.com/psirt/2009/07/
On Behalf Of Stephen Moretti
Just so you are aware its not a ColdFusion vunerability. Its a general
2009/7/3 Gareth Cole <gareth.c...@esus.ie>
Hi Folks,
Just in case you haven't seen this yet, there's a security vulnerability in
http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/
Some genius at adobe decided to enable file uploads by default in the
The link has full details and remedy.
--
uploads in the config, and at this point you should be aware that you should
implement some form of authentication.
functionality without making you aware of this. Most people will have just
installed CF8.01 without realizing this.
-----Original Message-----
From: scottishcfug@googlegroups.com [mailto:scottishcfug@googlegroups.com]
Sent: 05 July 2009 23:41
To: scottishcfug@googlegroups.com
Subject: [SCFUG] Re: file upload vulnerability in CF801
FCKEditor vulnerability, regardless of middleware that it sits on.
the CF801 updater:
embedded fckeditor. Unfortunately, this allows hackers to upload any files
they want on to your system, and take control of your server.
Stephen Moretti
Blog : http://nil.checksite.co.uk/
Twitter : http://twitter.com/mr_nil
EE: http://beta.experts-exchange.com/M_1167123.html