Message from discussion
file upload vulnerability in CF801
Received: by 10.210.125.13 with SMTP id x13mr379740ebc.14.1246895717812;
Mon, 06 Jul 2009 08:55:17 -0700 (PDT)
Return-Path: <gareth.c...@esus.ie>
Received: from morgana.blacknight.ie (morgana.blacknight.ie [81.17.252.60])
by gmr-mx.google.com with ESMTP id 14si1490791ewy.5.2009.07.06.08.55.17;
Mon, 06 Jul 2009 08:55:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of gareth.c...@esus.ie designates 81.17.252.60 as permitted sender) client-ip=81.17.252.60;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of gareth.c...@esus.ie designates 81.17.252.60 as permitted sender) smtp.mail=gareth.c...@esus.ie
Received: from host90-152-20-233.ipv4.regusnet.com ([90.152.20.233] helo=D820)
by morgana.blacknight.ie with esmtpa (Exim 4.50)
id 1MNqX1-0004Zo-VS
for scottishcfug@googlegroups.com; Mon, 06 Jul 2009 16:55:04 +0100
From: "Gareth Cole" <gareth.c...@esus.ie>
To: <scottishcfug@googlegroups.com>
Subject: RE: [SCFUG] Re: file upload vulnerability in CF801
Date: Mon, 6 Jul 2009 16:55:04 +0100
Message-ID: <2ACE6A384E78492499D6E97CAC0E047E@D820>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0020_01C9FE5A.82DAAA10"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6838
thread-index: Acn9wavSnLPvz0QQTOyAuPUxXBBbMwAj4Tkw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
In-Reply-To: <868eda7c0907051540m6fd855faxa277c92d69da7919@mail.gmail.com>
Importance: Normal
X-morgana-blacknight-MailScanner-Information: Please contact the ISP for more information
X-morgana-blacknight-MailScanner: Found to be clean
X-morgana-blacknight-MailScanner-SpamCheck: not spam,
SpamAssassin (not cached, score=-1.439, required 7,
autolearn=disabled, ALL_TRUSTED -1.44, HTML_MESSAGE 0.00)
X-morgana-blacknight-MailScanner-From: gareth.c...@esus.ie
------=_NextPart_000_0020_01C9FE5A.82DAAA10
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi Stephen,
=20
I'd argue that it is a CF vulnerability.
=20
With manual installs of fckeditor, you have to explicitly enable file
uploads in the config, and at this point you should be aware that you shoul=
d
implement some form of authentication.
=20
With CF8.01, it automatically enables un-authenticated file upload
functionality without making you aware of this. Most people will have just
installed CF8.01 without realizing this.
=20
Adobe seem to agree: http://blogs.adobe.com/psirt/2009/07/
=20
=20
=20
-----Original Message-----
From: scottishcfug@googlegroups.com [mailto:scottishcfug@googlegroups.com]
On Behalf Of Stephen Moretti
Sent: 05 July 2009 23:41
To: scottishcfug@googlegroups.com
Subject: [SCFUG] Re: file upload vulnerability in CF801
=20
Just so you are aware its not a ColdFusion vunerability. Its a general
FCKEditor vulnerability, regardless of middleware that it sits on.
2009/7/3 Gareth Cole <gareth.c...@esus.ie>
Hi Folks,
=20
Just in case you haven't seen this yet, there's a security vulnerability in
the CF801 updater:
http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/
=20
Some genius at adobe decided to enable file uploads by default in the
embedded fckeditor. Unfortunately, this allows hackers to upload any files
they want on to your system, and take control of your server.
=20
The link has full details and remedy.
=20
=20
--=20
Stephen Moretti
Blog : http://nil.checksite.co.uk/
Twitter : http://twitter.com/mr_nil
EE: http://beta.experts-exchange.com/M_1167123.html
------=_NextPart_000_0020_01C9FE5A.82DAAA10
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dblue>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi Stephen,</span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I'd argue that it is a CF vulnerabilit=
y.</span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>With manual installs of fckeditor, you
have to explicitly enable file uploads in the config, and at this point you
should be aware that you should implement some form of authentication.</spa=
n></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>With CF8.01, it automatically enables
un-authenticated file upload functionality without making you aware of this=
.
Most people will have just installed CF8.01 without realizing this.</span><=
/font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Adobe seem to agree: <a
href=3D"http://blogs.adobe.com/psirt/2009/07/">http://blogs.adobe.com/psirt=
/2009/07/</a></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D2 face=3DTah=
oma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br=
>
<b><span style=3D'font-weight:bold'>From:</span></b>
scottishcfug@googlegroups.com [mailto:scottishcfug@googlegroups.com] <b><sp=
an
style=3D'font-weight:bold'>On Behalf Of </span></b>Stephen Moretti<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 05 July 2009 23:41<br>
<b><span style=3D'font-weight:bold'>To:</span></b> scottishcfug@googlegroup=
s.com<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [SCFUG] Re: file up=
load
vulnerability in CF801</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></fo=
nt></p>
<p class=3DMsoNormal style=3D'margin-right:0cm;margin-bottom:12.0pt;margin-=
left:
36.0pt'><font size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12=
.0pt'>Just
so you are aware its not a ColdFusion vunerability. Its a general
FCKEditor vulnerability, regardless of middleware that it sits on.<br>
<br>
<br>
</span></font></p>
<div>
<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>2009/7/3 Gareth C=
ole <<a
href=3D"mailto:gareth.c...@esus.ie">gareth.c...@esus.ie</a>></span></fon=
t></p>
<div link=3Dblue vlink=3Dpurple>
<div>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'>Hi Folks,</span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'>Just in case you haven't seen =
this
yet, there's a security vulnerability in the CF801 updater:</span></font></=
p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'><a
href=3D"http://www.theregister.co.uk/2009/07/03/coldfusion_compromise/"
target=3D"_blank">http://www.theregister.co.uk/2009/07/03/coldfusion_compro=
mise/</a></span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'>Some genius at adobe decided t=
o
enable file uploads by default in the embedded fckeditor. Unfortunately, th=
is
allows hackers to upload any files they want on to your system, and take
control of your server.</span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p>
<p style=3D'margin-left:36.0pt'><font size=3D2 face=3DArial><span lang=3DEN=
-GB
style=3D'font-size:10.0pt;font-family:Arial'>The link has full details and
remedy.</span></font></p>
</div>
<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></fo=
nt></p>
</div>
<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></fo=
nt></p>
</div>
<p class=3DMsoNormal style=3D'margin-right:0cm;margin-bottom:12.0pt;margin-=
left:
36.0pt'><font size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12=
.0pt'><br>
<br clear=3Dall>
<br>
-- <br>
Stephen Moretti<br>
Blog : <a href=3D"http://nil.checksite.co.uk/">http://nil.checksite.co.uk/<=
/a><br>
Twitter : <a href=3D"http://twitter.com/mr_nil">http://twitter.com/mr_nil</=
a><br>
EE: <a href=3D"http://beta.experts-exchange.com/M_1167123.html">http://beta=
.experts-exchange.com/M_1167123.html</a><br>
<br>
</div>
</body>
</html>
------=_NextPart_000_0020_01C9FE5A.82DAAA10--
|
