what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open Source CERT Security Advisory 2009.7

Open Source CERT Security Advisory 2009.7
Posted Jul 6, 2009
Authored by Andrea Barisani, Open Source CERT | Site ocert.org

FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability. The input of several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild. Versions 2.6.4 and below are affected.

tags | advisory, remote, web, arbitrary, shell, file upload
advisories | CVE-2009-2265
SHA-256 | e8fb00e2c1d4004e9c9d5b6c8091560a3a8bc7b786b95c5a80061e93d79b8354

Open Source CERT Security Advisory 2009.7

Change Mirror Download

#2009-007 FCKeditor input sanitization errors

Description:

FCKeditor, a web based open source HTML text editor, suffers from a remote
file upload vulnerability.

The input of several connector modules is not properly verified before being
used, this leads to exposure of the contents of arbitrary directories on the
server filesystem and allows file uploading to arbitrary locations. The
affected code is remotely exposed before authentication. An attacker can
exploit this vulnerability to install remote shells on the victim server
among other things, it should be noted that this vulnerability is being
actively exploited in the wild.

Additionally several XSS vulnerabilities are present in the packaged samples
directory.

A patch and a new FCKeditor version will be made available on Monday July 6th
16:00 CET, this advisory will be updated with detailed information about the
issue and a security patch.

In the meantime we strongly recommend to implement the following
mitigation instructions:

* removed unused connectors from 'editor\filemanager\connectors'

* disable the file browser in config.ext

* inspect all fckeditor folders on the server for suspicious files that
may have been previously uploaded, as an example image directories
(eg. 'fckeditor/editor/images/...') are well known target locations
for remote php shells with extensions that match image files

* completely remove the '_samples' directory

Affected version:

FCKeditor <= 2.6.4

(version 3.0 is unaffected as it does not have any built-in file browser)

Fixed version:

FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET)

Credit: vulnerability report received from Vinny Guido <bigvin [at]
hushmail [dot] com>.

CVE: CVE-2009-2265

Timeline:

2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE
2009-07-03: preliminary advisory release with mitigation instructions due to
wide exposure of the issue

Permalink:
http://www.ocert.org/advisories/ocert-2009-007.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close