#2009-007 FCKeditor input sanitization errors Description: FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability. The input of several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild. Additionally several XSS vulnerabilities are present in the packaged samples directory. A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions: * removed unused connectors from 'editor\filemanager\connectors' * disable the file browser in config.ext * inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files * completely remove the '_samples' directory Affected version: FCKeditor <= 2.6.4 (version 3.0 is unaffected as it does not have any built-in file browser) Fixed version: FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET) Credit: vulnerability report received from Vinny Guido . CVE: CVE-2009-2265 Timeline: 2009-05-03: vulnerability reported received 2009-05-04: contacted fckeditor maintainer 2009-05-25: maintainer denies reported issues against latest version 2009-05-25: reporter confirms that latest version is affected 2009-06-21: maintainer forwards report to project security maintainer 2009-06-23: security maintainer confirms CurrentFolder vulnerability 2009-06-24: security maintainer provides patch 2009-06-29: assigned CVE 2009-07-03: preliminary advisory release with mitigation instructions due to wide exposure of the issue Permalink: http://www.ocert.org/advisories/ocert-2009-007.html -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"