New ColdFusion 8 vulnerability

You may want to check for this on any clients/projects you've worked with: http://isc.sans.org/diary.html?storyid=6715 Remediation steps available here: http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ----- Excess quoted text cut - see Original Post for more -----

I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian ----- Excess quoted text cut - see Original Post for more -----

> Am I missing something? You're on CF8.0.0 not 8.0.1 and so fine ? -- Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

> Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Site down, probably load. In summary: CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in a non-default, insecure state. Find config.cfm in ....../CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm and change 'Config.enabled' to false at the top. Then review if you need any of the features you just turned off and take it from there. -- Helping to vitalistically compete cross-platform mindshares as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work?  I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something?  Is that correct?  If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers.

what if you want to do file upload with fckeditor?

Brian McCairn wrote: > what if you want to do file upload with fckeditor? The recommendation seems to be to install the latest version of fckeditor independently of the built in ColdFusion edition and to make sure that it resides and works within properly sandboxed portions of you system so that permission escalation is much harder to accomplish.

Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed?  I just got an emergency gig to fix a site that was hacked because of this and we need to know if it is safe to do this or just keep FCKEditor disabled inthe meantime. Eric On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go.  I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of holes I wound up rewriting it with another developer's help and posting it on their forum.  Guess that since then its code got a lot more complex but not a lot better. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com

If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian ----- Excess quoted text cut - see Original Post for more -----

So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts < owner@threeravensconsulting.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

On Fri, Jul 3, 2009 at 7:32 PM, Eric Roberts < owner@threeravensconsulting.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- I would keep FCKeditor file upload manager disabled for now: http://www.petefreitag.com/item/705.cfm -- Pete Freitag http://foundeo.com/security/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog

> I would keep FCKeditor file upload manager disabled for now: > http://www.petefreitag.com/item/705.cfm As you seem to have a good test case, is it enough to set Config.Enabled=false ? -- Helping to efficiently empower customized distributed eye-catching magnetic niches as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

A hotfix was just released for this: http://www.adobe.com/support/security/bulletins/apsb09-09.html -Ryan

Is it only me, or does this patch solution look pretty bad?      "merge the cfide folder" Ack! Cheers, Kris > A hotfix was just released for this: > http://www.adobe.com/support/security/bulletins/apsb09-09.html

They're (mostly) only replacing files down deep in the fckeditor's filemanagement folder, so it's not as scary as it sounds.

Sorry Kris, I wish we could have made it a little less scary, but you shouldn't worry. There is a 'scripts' directory under the CFIDE which is where we store all of our JS libraries like ExtJS and the FCKEditor. What the merge is doing is just updating the FCKEditor folder underneath, nothing more. If you are still worried, just make a copy of the entire CFIDE directory for a backup. -Adam ----- Excess quoted text cut - see Original Post for more -----

> Sorry Kris, I wish we could have made it a little less scary, but you > shouldn't worry. Note the instructions aren't the best. Our CF8.0.0 server doesn't have 'editor/filemanager/connectors/cfm', so I've done # cd ....../CFIDE/scripts/ajax/FCKeditor/editor/filemanager # find . -name '*cfm' -exec rm {} \; instead For CF8.0.1, step 1 says to unzip the hot fix, don't, just upload the .jar. -- Helping to evangelistically promote functionalities as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

Also, after applying it, the info. page still says: Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar   Although it also says CF Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar:   :opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar: Is that what everyone else sees ? -- Helping to evangelistically promote functionalities as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

I don't see your particular update level, but I do see an update level that is earlier than 77218. Thanks, Mike Also, after applying it, the info. page still says: Update Level: /opt/coldfusion8/lib/updates/hf801-71471.jar   Although it also says CF Classpath: :opt/coldfusion8/runtime/../lib/updates/hf801-71471.jar: :opt/coldfusion8/runtime/../lib/updates/coldfusion8.0.1_hf801-77218.jar: Is that what everyone else sees ?

> I don't see your particular update level, but I do see an update level > that is earlier than 77218. Cool. I cc'ed Adam so at least Adobe and Google now know :-) -- Helping to advantageously foster eligible guinine mindshares as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

I suspect you have an older version of FCKEditor deployed in that case. Dave Watts, CTO, Fig Leaf Software I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian ----- Excess quoted text cut - see Original Post for more -----

There's nothing OS-specific about the vulnerability, as far as I can see. Dave Watts, CTO, Fig Leaf Software And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ----- Excess quoted text cut - see Original Post for more -----

Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. Dave Watts, CTO, Fig Leaf Software Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work?  I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something?  Is that correct?  If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers.

Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them.  But I realize I may not be using the best URL's for my testing.

You should take the same precautions you would with any file upload. Don't allow uploads to web-accessible directories that allow code execution on the server. Better yet, don't allow uploads to web-accessible directories at all, so that your server can't unwittingly host client-side malware. Don't run CF with root credentials, so that successfully uploaded CF scripts can't do bad things to your system. Dave Watts, CTO, Fig Leaf Software what if you want to do file upload with fckeditor?

Sorry for omitting the actual URLs, but I'm sending all this from my phone. And CF doesn't run on Windows Mobile! Dave Watts, CTO, Fig Leaf Software Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them.  But I realize I may not be using the best URL's for my testing.

No, a restart shouldn't be required. Dave Watts, CTO, Fig Leaf Software So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts < owner@threeravensconsulting.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

I don't know, but it should be easy enough to check on your install. Dave Watts, CTO, Fig Leaf Software Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed?  I just got an emergency gig to fix a site that was hacked because of this and we need to know if it is safe to do this or just keep FCKEditor disabled inthe meantime. Eric On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

That is my understanding as well. Dave Watts, CTO, Fig Leaf Software If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian ----- Excess quoted text cut - see Original Post for more -----

"There's nothing OS-specific about the vulnerability, as far as I can see. " I'm sure it more about a "location" that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my  xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult.

If there's a default web accessible URL path for uploaded files, , and that directory is configured to execute CF files, an attacker can simply upload a .cfm file, and run it to do anything CF can do: CFEXECUTE, access databases, connect to outbound FTP servers, etc. You may not allow the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software "There's nothing OS-specific about the vulnerability, as far as I can see. " I'm sure it more about a "location" that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my  xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult.

"If there's a default web accessible URL path for uploaded files" Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web & I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) ----- Excess quoted text cut - see Original Post for more -----

It's not a CF-only issue. However, CF comes bundled with FCKEditor and other scripting languages don't. If you don't allow uploads to web accessible directories, you don't have anything to worry about. However, the default install of CF 8.0.1 on Windows does allow uploads to web accessible directories. Dave Watts, CTO, Fig Leaf Software "If there's a default web accessible URL path for uploaded files" Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web & I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) ----- Excess quoted text cut - see Original Post for more -----

Thats the trouble with bundling things. I used to think it was nice but really it creates these types of things. Have you seen the video of the guy hacking sites with this? ----- Excess quoted text cut - see Original Post for more -----

I have always installed FCK instead of using the bundled version...it allows me to make sure that i have the latest version without effecting CF.  I am not a fan of bundled/integrated anything...I think Office being the exception...why would you want all of your eggs in one basket? Eric ----- Excess quoted text cut - see Original Post for more -----

> Thats the trouble with bundling things. I used to think it was nice but really it creates > these types of things. Well, CF contains TONS of bundled items; any of these items could conceivably have some unknown vulnerability. Database drivers, COM and .NET interfaces, all sorts of third-party libraries, etc, etc. > Have you seen the video of the guy hacking sites with this? No. But it's a pretty easy thing, once you know how the vulnerability works, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

"Well, CF contains TONS of bundled items" I've switched to railo now which doesn't have some of that stuff but it might be a good idea for adobe to implement some admin controls to be able to turn that stuff on or off. here is the video http://www.coldfusion.tv/viewVideo.cfm?videoID=1000011

> http://www.coldfusion.tv/viewVideo.cfm?videoID=1000011 There is a whole ton of 'old' errors in the application he hacks, any of which anyone could make. Without anyone of them, the 'exploit' wouldn't have worked. There's nothing in the FCKeditor plugins themselves that are wrong - if you rolled your own upload script this could still happen ! For instance * user file uploads to a web accessible directory * not checking file type of uploaded files after the upload * full exception output left on -- Helping to dramatically utilize methodologies as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co