Pete Freitag Pete Freitag

FCKeditor Access Denied

Published on October 15, 2009
By Pete Freitag
coldfusion

I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.

It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.

To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.

In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.

Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:

config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;


fckeditor security coldfusion upload

FCKeditor Access Denied was first published on October 15, 2009.

If you like reading about fckeditor, security, coldfusion, or upload then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

This is probably not an issue if you've upgraded to CKEditor. Not sure if it still uses the same url structure as the obsolete FCKEditor...
by Brian Lang on 10/15/2009 at 6:44:06 PM UTC
If you are on shared hosting and cannot change any server setting or get the hosting company to do it, you can just rename the directory where FCKEditor is located. I changed mine to just editor, then in fckeditor.js changed the this.basepath variable to /editor/. You also have to change all of the calls to the editor if you call it as a custom tag. If you use the CFC, you have to change the this.basepath variable there as well.
by Greg McNary on 10/15/2009 at 9:14:00 PM UTC
@Doug - The CF8 hotfix will still block /whatever/fckeditor/editor/filemanager/anything.cfm maybe you didn't apply the hotfix jar, and just updated the /CFIDE folder.
by Pete Freitag on 10/16/2009 at 12:21:39 PM UTC
Pete,
this post has beeen very usefull for me; i add that cf9 last release has a new built in function named fileUpload(), just as a function in fckeditor connectors/cfm/commands.cfm, included by cf_connector.cfm, so we have to change this function name, ie file_upload().
regards
by salvatore fusto on 01/19/2011 at 5:53:48 AM UTC
@salvatore thanks for posting that, I'm sure others will find that useful too.
by Pete Freitag on 01/19/2011 at 10:33:10 AM UTC
@matt - had this same problem in CF8. The cf administrator has it's own application.cfm so the fckeditor cannot see your app's session. I took the easy route - I use a cookie which the fckeditor can see. I also use the cookie to set the userfiles path as well
by MikeG on 03/07/2012 at 5:34:43 PM UTC