Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.FCKEDITOR_JAVA_CURRENTFOLDER_DOS.NASL
HistoryJul 20, 2009 - 12:00 a.m.

FCKeditor.Java Connector Servlet 'CurrentFolder' Infinite Loop DoS

2009-07-2000:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
50

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.033 Low

EPSS

Percentile

91.3%

JSON

The remote web server is hosting a web application that uses FCKeditor.Java, which is used to run FCKeditor in a Java environment.

Input to the ‘CurrentFolder’ parameter of the connector servlet is not sanitized properly. It is possible to create a specially crafted request that could put the web server into an infinite loop. A remote attacker could use this to create a denial of service.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(39875);
  script_version("1.18");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-4875");
  script_bugtraq_id(35709);
  script_xref(name:"SECUNIA", value:"35870");

  script_name(english:"FCKeditor.Java Connector Servlet 'CurrentFolder' Infinite Loop DoS");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host has a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server is hosting a web application that uses
FCKeditor.Java, which is used to run FCKeditor in a Java environment.

Input to the 'CurrentFolder' parameter of the connector servlet is
not sanitized properly.  It is possible to create a specially crafted
request that could put the web server into an infinite loop.  A
remote attacker could use this to create a denial of service.");
  script_set_attribute(attribute:"see_also", value:"https://dev.ckeditor.com/ticket/3902");
  script_set_attribute(attribute:"see_also", value:"http://sourceforge.net/project/shownotes.php?release_id=697258");
  script_set_attribute(attribute:"see_also", value:"http://java.fckeditor.net/changes-report.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to FCKeditor.Java version 2.4.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("webmirror.nasl", "http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 8080);

  exit(0);
}

#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:8080);
vuln_urls = make_list();

# FCKeditor.Java could be used with any JSP web app...there doesn't seem to be
# a reliable way of detecting it
if (thorough_tests)
{
  dirs = get_kb_list('www/' + port + '/content/directories');
  if (isnull(dirs)) dirs = make_list(cgi_dirs());
}
else dirs = make_list(cgi_dirs());


foreach dir (dirs)
{
  connector = string(dir, '/fckeditor/editor/filemanager/connectors/connector');

  # This URL won't trigger the DoS, but it will respond differently depending
  # on whether or not the software is patched
  url = string(
    connector, '?',
    'Command=CreateFolder&',
    'Type=File&',
    'CurrentFolder=/%00/&',
    'NewFolderName=', SCRIPT_NAME
  );

  res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);

  if (
    'Invalid current folder specified' >!< res[2] &&
    '<Connector command="CreateFolder" resourceType="File">' >< res[2] &&
    '<CurrentFolder path="/&#0;/"' >< res[2]
  )
  {
    vuln_urls = make_list(vuln_urls, url);
    if (!thorough_tests) break;
  }
}

if (max_index(vuln_urls) > 0)
{
  if (report_verbosity > 0)
  {
    report = string(
      "\n",
      "Nessus did not exploit this issue, but was able to detect it based\n",
      "on the response generated by requesting the following URL(s) :\n"
    );

    foreach url (vuln_urls)
      report += string("\n  ", build_url(port:port, qs:url), "\n");

    security_warning(port:port, extra:report);
  }
  else security_warning(port);

}
else exit(0, "No vulnerable installs were found.");

Related

prion 1
cvelist 1
cve 1
nvd 1
prion
prion
Design/Logic Flaw
2010-05-26 18:30:00
cvelist
cvelist
CVE-2009-4875
2010-05-26 18:00:00
cve
cve
CVE-2009-4875
2010-05-26 18:30:01
nvd
nvd
CVE-2009-4875
2010-05-26 18:30:01

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.033 Low

EPSS

Percentile

91.3%

JSON
Related for FCKEDITOR_JAVA_CURRENTFOLDER_DOS.NASL
prion1cvelist1cve1nvd1