FCKEditor 403 Access Denied and ColdFusion
Posted by Joe Rebis (Import) on 04 September 2009 03:03 PM
Last month Adobe released a patch to cover a vulnerability associated with ColdFusion 8.0.1 and the integrated version of FCKeditor in use for the CFTEXTAREA (type = richtext) tag. The tag removed disabled the default connector so that uploads were not possible when using that tag. Additionally,they implemented some extra security measures to help direct access to the connector files in the CFIDE directory. This leaves it up to the host to enable or disable. We currently are disabling it in the CFTEXTAREA tag (we are evaluating that decision).
The problem is that the patch also causes problems with standalone installations of FCKeditor that use the CFM connector. These CFM connector files are independent of the CFIDE version of those files. Typically users will get a 403 access denied message when trying to upload files or using the"Browse Server" button. Apparently, any CF requests in a folder structure called "/cfide/scripts/ajax/fckeditor/editor/filemanager/" will throw a 403 access denied message. You can test this by manually creating these directories and placing any CFM file and try calling it up in a browser.
There are a few workarounds to allow uploads:
You can try renaming renaming the FCKeditor directory to something else. It appears you will need to edit fckeditor.js in the root to set "this.BasePath"to the new directory name. Once this is done you should be able to upload files using FCKeditor and the CFM connector. This will provide a little better protection in that the name of the directory is not known to hackers. However,it won't be long before someone with a Google Tool bar comes along and the site gets picked up by Google etc. Perhaps you should add a NOINDEX, NOFOLLOW META tag to the index page of the editor's directory.
Another workaround would be to try a different type of connector like PHP.Just make sure to enable PHP on that domain from the control panel. No problems with running both CF and PHP side-by-side. Again, be sure to protect these scripts from unauthorized visitors. The downside I see with the PHP method is that many hackers use PHP scripts which would now work if they managed to get a file on the server.
Lastly, you might disable the connector (edit the config.cfm file in the connector directory) and write your own file upload routine. A word of warning that you properly trap for the correct file types. For more on that see Pete Freitag's blog here: http://www.petefreitag.com/item/701.cfm
In any case, ANY file/image upload script should be properly password protected and unnecessary files removed. Please don't assume that the maker of such scripts is doing so-- their objective is to make a widely compatible product for the largest possible audience and locking down their scripts to be published on shared hosting systems is not necessarily on their mind. The damage and liability that can result could be huge. Also note that many third party applications use FCKeditor and you should be vigilant and not assume they are taking the necessary precautions.
As I mentioned earlier we are evaluating the decision to disable the file uploads in the CFTEXTAREA (type = richtext). The decision was made just following a breach of someone's shopping cart software called CFWebStore which was using the FCKeditor and ColdFusion. All three pieces of software are great but when integrated poorly or poorly maintained can be a recipe for disaster. In our minds, with so many workarounds available, it seems moot to prevent the CFTEXTAREA tag from allowing file uploads-- at least we'll know there are some file restrictions. if the decision is reversed we'll update this article.
ColdFusion 8 Hotfix from Adobe: http://www.adobe.com/support/security/bulletins/apsb09-09.html