FCKEditor 2.6.8 file upload and CKFinder/FCKEditor DoS vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201235981
Type myhack58
Reporter 佚名
Modified 2012-12-06T00:00:00


Thanks to the endless in freebuf community”share the mission”to give a clue, only with this article

Original post: http://club.freebuf.com/?/question/129#reply12

FCKEditor 2.6.8 file upload vulnerability

Exploit-db on the original as follows:

  • Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
  • Credit goes to: Mostafa Azizi, Soroush Dalili
  • Link:http://sourceforge. net/projects/fckeditor/files/FCKeditor/
  • Description: There is no validation on the extensions when FCKEditor 2.6.8 ASP version is dealing with the duplicate files. As a result, it is possible to bypass the protection and upload a file with any extension.
  • Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
  • Solution: Please check the provided reference or the vendor website.

  • PoC:http://www. youtube. com/v/1VpxlJ5jLO8? version=3&hl=en_US&rel=0&vq=hd720 " Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:

In the “config. asp”, wherever you have: ConfigAllowedExtensions. Add “File”,”Extensions Here” Change it to: ConfigAllowedExtensions. Add “File”,”^(Extensions Here)$”

In the video for over the wall, we can see very clearly:

  1. First, the aspx is prohibited to upload
  2. Use%0 0 truncated the url decode, the first uploaded file name will be turn into a _ symbol


Next, we performed the second upload, the miracle happened.


代码 层面 分析 可以 看 下 http://lanu.sinaapp.com/ASPVBvbscript/121.html

CKFinder/FCKEditor DoS vulnerability

Compared to the last upload of the bug, this vulnerability individuals feel more interesting

CKFinder is a powerful and easy-to-use Web browser in the Ajax file Manager. Its simple interface makes it intuitive and quick to learn the various types of users, from senior professionals to Internet beginners.

CKFinder ASP version is such a process to upload the file:

When uploaded file name already exists, it will iterate to rename, such as file(1). ext exist, try to rename the file(2). ext...... Until not repeated so far.

So now the interesting thing-windows is prohibited”con”as file name on this issue I remember a long time ago, the win also had the con file name vulnerability, are interested in can be confirmed.

[1] [2] next