what you don't know can hurt you

Rapid7 Security Advisory 36

Rapid7 Security Advisory 36
Posted Aug 30, 2010
Authored by H D Moore, Rapid7, Will Vandevanter | Site rapid7.com

Rapid7 Security Advisory - FCKEditor contains a file renaming bug that allows remote code execution. Specifically, it is possible to upload ASP code via the ASP.NET connector in FCKEditor. The vulnerability requires that the remote server be running IIS. This vulnerability has been confirmed on FCKEditor 2.5.1 and 2.6.6.

tags | exploit, remote, code execution, asp
advisories | CVE-2009-4444
MD5 | 734bd64d3ff9aa05f3b480e0cd0300eb

Rapid7 Security Advisory 36

Change Mirror Download
R7-0036: FCKEditor.NET File Upload Code Execution
August 30, 2010

-- Vulnerability Details:

FCKEditor contains a file renaming bug that allows remote code execution. Specifically, it is possible to upload ASP code via the ASP.NET connector  in FCKEditor. The vulnerability requires that the remote server be running IIS. This vulnerability has been confirmed on FCKEditor 2.5.1 and 2.6.6.
 
CVSS Vector: AV:R/AC:L/Au:NR/C:C/I:C/A:C

Browse to http://<ip>fckeditor/editor/filemanager/connectors/test.html and choose the ASP.NET connector. By uploading a file with the same name as an existing file, that includes an underscore followed by a dot, it is possible to bypass the file renaming mitigation in place. For instance, when uploading a file twice with the name:
 
       myfile_.asp;.txt
 
The first file would be renamed
 
       myfile__asp;.txt
 
BUT the second file will be renamed
 
       myfile_.asp;(1).txt
 
Due to the IIS semi-colon vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444) the server will remotely execute myfile_.asp;(1).txt when the second file is accessed.


-- Vendor Response:
A new version of the .NET connector has been released to address this issue, it can be found at the URL below.

http://ckeditor.com/blog/FCKeditor.Net_2.6.4_released

-- Disclosure Timeline:
2010-08-17 - Vulnerability reported to the vendor via contact form
2010-08-17 - Vulnerability reported to the vendor via bug tracker
2010-08-19 - Vulnerability reported to the vendor via email
2010-08-27 - Vendor replied indicating a fix is in the works
2010-08-27 - Vendor schedules the fix for August 30th, 2010
2010-08-30 - Vendor releases version 2.6.4 to address the issue

-- Credit:
This vulnerability was discovered by Will Vandevanter of the Rapid7 professional services team during a customer engagement.

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

http://www.rapid7.com/disclosure.jsp



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close