Cumulative Hot Fix 4 for 8.0.1
A new cumulative hot fix for ColdFusion 8.0.1 has been released.
Details and download may be found here: http://kb2.adobe.com/cps/529/cpsid_52915.html
HackMyCF, ColdFusion Server Security Scanner
Pete Freitag has launched HackMyCF, a site that can test your ColdFusion servers for security holes, missing hotfixes and patches, and more. Highly recommended!
Adobe Releases Hotfix for FCKEditor Security Issue
Adobe has released an official hot fix for the FCK Editor issue you may have heard about lately. You can read about and download the hotfix directly from Adobe.
ColdFusion 8 FCKeditor Vulnerability
There is a critical point in FCKeditor, who was announced some time, when detected in connectors ASP and PHP.
PHP - GeekLog v1.4.0 FckEditor File Upload Security Vulnerability
ASP - Exploiting IIS via HTMLEncode (MS08-006)
Now this vulnerability was detected in the version 8.0.1 of ColdFusion, the version 8.0 apparently does not suffer of this failure, but it is worth check.
The solutions:
1) Disable filemanager. In "CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm\config.cfm"
Config.Enabled = false;
2) To be completely safe, delete the entire filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor". The embedded version of FCKeditor for CF doesn't and really shouldn't use this feature. So removing those files completely is the safest thing to do. Be mindful that updates to CF might re-introduce those files and naturally re-open the problem.
More informations in:
Problem safety serious in CF 8.01 (by Alex Hubner - CFBRAZIL)CF8 and FCKEditor Security threat ( by John Mason)
ColdFusion 8 FCKeditor Vulnerability ( by Pete Freitag)
Update: read this post by the Adobe Product Security Incident Response Team regarding a security issue caused by the FCKEditor included with ColdFusion 8:
Adobe Product Security Incident Response Team (PSIRT): Potential ColdFusion security issue
