ColdFusion 8 FCKEditor file upload vulnerability

  • ColdFusion version 8.0.1 installs a vulnerable version of FCKEditor which is enabled by default. FCKEditor includes functionality to handle file uploads and file management, allowing an attacker to upload and execute malicious code.
  • One fix is to edit the <strong><span class="bb-dark">config.cfm</span></strong> file at <strong><span class="bb-dark">\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm</span></strong> to disable uploads (consult <strong>CF8 and FCKEditor Security threat</strong>) .<br/> Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers (consult <strong>Hotfix available for potential ColdFusion 8 input sanitization issue</strong>).