The latest FCKEditor ASP upload bypass vulnerability-vulnerability warning-the black bar safety net

2012-12-06T00:00:00
ID MYHACK58:62201235992
Type myhack58
Reporter 佚名
Modified 2012-12-06T00:00:00

Description

exploiut-db:

FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass - Credit goes to: Mostafa Azizi, Soroush Dalili - Link:http://sourceforge. net/projects/fckeditor/files/FCKeditor/ - Description: There is no validation on the extensions when FCKEditor 2.6.8 ASP version is dealing with the duplicate files. As a result, it is possible to bypass the protection and upload a file with any extension. - Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/ - Solution: Please check the provided reference or the vendor website. - PoC:http://www. youtube. com/v/1VpxlJ5jLO8? version=3&hl=en_US&rel=0&vq=hd720 " Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass: In the “config. asp”, wherever you have: ConfigAllowedExtensions. Add “File”,”Extensions Here” Change it to: ConfigAllowedExtensions. Add “File”,”^(Extensions Here)$”

the php test is invalid asp/aspx test success: 来到 /FCKeditor/editor/filemanager/connectors/test.html Because the combination of the previous secondary upload vulnerability, so the first upload of any content of the file: asd.asp.txt

burpsuite upload the package and modify the repeater The name was changed to asd. asp%00txt then put%0 0 specially designed for URL encoding after the upload to get asd(1). asp

As shown, the webshell: http://localhost/userfiles/file/asd(1). asp

!