FCKeditor input Validation Flaw Lets Remote Users Upload Arbitrary Files
|
SecurityTracker Alert ID: 1022513 |
SecurityTracker URL: http://securitytracker.com/id/1022513
|
CVE Reference:
CVE-2009-2265
(Links to External Site)
|
Updated: Jul 6 2009
|
Original Entry Date: Jul 6 2009
|
Impact:
Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.6.4 and prior versions
|
Description:
A vulnerability was reported in FCKeditor. A remote user can upload arbitrary files to the target system.
Several connector modules in the 'editor\filemanager\connectors' directory do not properly validate user-supplied input. A remote user can submit a specially crafted request to upload files to arbitrary locations on the target system. This can be exploited to execute arbitrary code on the target system.
This vulnerability is being actively exploited.
Version 3.0 is not affected.
Several scripts in the '_samples' directory permit cross-site scripting attacks.
The vendor was notified on May 4, 2009.
The original advisory is available at:
http://www.ocert.org/advisories/ocert-2009-007.html
Vinny Guido reported this vulnerability via oCERT.
|
Impact:
A remote user can upload arbitrary files to the target system, which can lead to arbitrary code execution.
|
Solution:
The vendor has issued a fix (2.6.4.1), available at:
http://www.fckeditor.net/download
|
Vendor URL: www.fckeditor.net/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [oCERT-2009-007] FCKeditor input sanitization errors
|
#2009-007 FCKeditor input sanitization errors
Description:
FCKeditor, a web based open source HTML text editor, suffers from a remote
file upload vulnerability.
The input of several connector modules is not properly verified before being
used, this leads to exposure of the contents of arbitrary directories on the
server filesystem and allows file uploading to arbitrary locations. The
affected code is remotely exposed before authentication. An attacker can
exploit this vulnerability to install remote shells on the victim server
among other things, it should be noted that this vulnerability is being
actively exploited in the wild.
Additionally several XSS vulnerabilities are present in the packaged samples
directory.
A patch and a new FCKeditor version will be made available on Monday July 6th
16:00 CET, this advisory will be updated with detailed information about the
issue and a security patch.
In the meantime we strongly recommend to implement the following
mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that
may have been previously uploaded, as an example image directories
(eg. 'fckeditor/editor/images/...') are well known target locations
for remote php shells with extensions that match image files
* completely remove the '_samples' directory
Affected version:
FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version:
FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET)
Credit: vulnerability report received from Vinny Guido <bigvin [at]
hushmail [dot] com>.
CVE: CVE-2009-2265
Timeline:
2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE
2009-07-03: preliminary advisory release with mitigation instructions due to
wide exposure of the issue
Permalink:
http://www.ocert.org/advisories/ocert-2009-007.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
|
|