SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe ColdFusion Vendors:   Adobe Systems Incorporated
(Adobe Issues Fix for ColdFusion) FCKeditor input Validation Flaw Lets Remote Users Upload Arbitrary Files
SecurityTracker Alert ID:  1022527
SecurityTracker URL:  http://securitytracker.com/id/1022527
CVE Reference:   CVE-2009-2265   (Links to External Site)
Date:  Jul 8 2009
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8, 8.0.1
Description:   A vulnerability was reported in FCKeditor. A remote user can upload arbitrary files to the target system. Adobe ColdFusion is affected.

Several connector modules in the 'editor\filemanager\connectors' directory do not properly validate user-supplied input. A remote user can submit a specially crafted request to upload files to arbitrary locations on the target system. This can be exploited to execute arbitrary code on the target system.

This vulnerability is being actively exploited.

Version 3.0 is not affected.

Several scripts in the '_samples' directory permit cross-site scripting attacks.

The vendor was notified on May 4, 2009.

The original advisory is available at:

http://www.ocert.org/advisories/ocert-2009-007.html

Vinny Guido reported this vulnerability via oCERT.

Impact:   A remote user can upload arbitrary files to the target system, which can lead to arbitrary code execution.
Solution:   Adobe has issued a hot fix for ColdFusion, which includes FCKeditor and is affected by this vulnerability.

The Adobe advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb09-09.html

Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 6 2009 FCKeditor input Validation Flaw Lets Remote Users Upload Arbitrary Files



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC