ColdFusion 8 FCKeditor Vulnerability

There have been a few stories about a vulnerability in FCKeditor that is bundled with ColdFusion 8, first on The Register.

The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.1 it is enabled, older versions may have had it disabled by default. Either way you need to make sure it is disabled, and remove the file manager. John Mason has put together a blog entry detailing how to do this here. If you aren't using cftextarea you might as well go ahead and delete (or move outside the web root) /CFIDE/scripts/ajax/FCKeditor/ all together.

Also if you use FCKeditor (on any version of CF) outside of cftextarea make sure you are not at risk.

I haven't had a chance yet to review the vulnerability itself, but I will do so, and post details, in the mean time just make sure your server is not vulnerable.

I would like to point out another thing that you can do to make you less susceptible to automated attacks like this, move your /CFIDE/scripts/ directory to a different URI, then specify your custom URI in the ColdFusion Administrator under Server Settings at Default ScriptSrc Directory . Eliminating defaults is key to avoiding such worms, yes you are still vulnerable, but it buys you some extra time to react to such attacks. That was one of the tips in my presentation at cf.Objective() on Hardening ColdFusion, which I still need to post the slides for.

Update: The Adobe Product Security Incident Response Team (PSIRT) has posted an official response to this issue here.

Update: Adobe has posted a hotfix for this issue.

Another Update: Fixinator can detect vulnerable versions of FCKEditor in your ColdFusion code. In addition to detecting vulnerable versions of FCKEditor, it also looks for other known vulnerable third party libraries. You can run fixinator in CI, so it scans your code for vulnerabilities every time you commit to source control.