Yeah, I just looked at it. Ugly. Very ugly.
I can't believe Adobe didn't issue an immediate patch. On Thu, Jul 2, 2009 at 7:41 PM, Howard Fore <howard.f...@hofo.com> wrote: > Yes not older. In fact, an 8.0.1 installation is more vulnerable than 8.0.0 > due to a change at line 29 of CFIDE\ > scripts\ajaxFCKeditor\editor\filemanager\connectors\cfm\config.cfm > > -- > Howard Fore, howard.f...@hofo.com > "The worthwhile problems are the ones you can really solve or help solve, > the ones you can really contribute something to. ... No problem is too small > or too trivial if we can really do something about it." - Richard P. Feynman > > > > On Thu, Jul 2, 2009 at 6:51 PM, John Mason <ma...@fusionlink.com> wrote: > >> Just a bit goofy writing in that article but this involves the richtext >> feature that was introduced in CF 8. So not older version at all. >> >> John >> >> >> >> >> >> Charlie Arehart wrote: >> >>> I'm curious about their phrasing of "older installations of Cold Fusion >>> applications" and FCKEditor. It was only included as of CF8 (codenamed >>> scorpio, as mentioned in this news from the fckeditor folks: >>> http://www.fckeditor.net/Adobe_to_embed_FCKeditor_in_ColdFusion). So >>> it's >>> too bad that the opening lines suggest it affects only "older >>> installations". >>> Also, FWIW, this blog entry by an Adobe engineer >>> (http://www.rakshith.net/blog/?p=41), from 2007, says specifically that >>> the >>> file upload feature in FCKEditor was disabled by default in CF8, so it >>> would >>> seem only those who enabled that who would have the issue. >>> Not diminishing the concern. Just saying the info shared by the seems >>> rather >>> incomplete, and potentially confusing. But as someone already added as a >>> comment there, perhaps the real issue is the cffile upload aspect, and >>> they >>> point readers to Pete F's recent blog entry on that. >>> >>> /charlie >>> >>> >>> >>> >>>> -----Original Message----- >>>> From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. >>>> Saxe >>>> Sent: Thursday, July 02, 2009 5:14 PM >>>> To: discussion@acfug.org >>>> Subject: [ACFUG Discuss] CF Attacks in the wild >>>> >>>> FYI http://bit.ly/dUdvv >>>> >>>> "There have been a high number of Cold Fusion web sites being >>>> compromised in last 24 hours. We received several e-mails about this. >>>> >>>> It appears that the attackers are exploiting web sites which have >>>> older installations of some Cold Fusion applications. These >>>> applications have vulnerable installations of FCKEditor, which is a >>>> very popular HTML text editor, or CKFinder, which is an Ajax file >>>> manager. The vulnerable installations allow the attackers to upload >>>> ASP or Cold Fusion shells which further allow them to take complete >>>> control over the server." >>>> >>>> I have known about this for a few months now, but had to be silent on >>>> it. Adobe hasn't patched it (yet) but the attacks are in the wild... >>>> >>>> -dhs >>>> >>>> Dean H. Saxe, CISSP, CEH >>>> d...@fullfrontalnerdity.com >>>> "If liberty means anything at all, it means the right to tell people >>>> what they do not want to hear." >>>> -- George Orwell, 1945 >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> To unsubscribe from this list, manage your profile @ >>>> http://www.acfug.org?fa=login.edituserform >>>> >>>> For more info, see http://www.acfug.org/mailinglists >>>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> List hosted by http://www.fusionlink.com >>>> ------------------------------------------------------------- >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by http://www.fusionlink.com >>> ------------------------------------------------------------- >>> >>> >>> >>> >>> >>> >> >> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> >> > -- Regards, Steve Drucker CEO Fig Leaf Software http://www.figleaf.com http://training.figleaf.com Adobe, Google, Paperthin Consulting/Training/Sales
