Vulners
Lucene search
Rapid7 Security Advisory 36
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | Microsoft IIS Filename Extension Parsing Security Bypass (CVE-2009-4444) | 28 Dec 200900:00 | – | checkpoint_advisories |
 | CVE-2009-4444 | 29 Dec 200919:00 | – | cve |
 | CVE-2009-4444 | 29 Dec 200919:00 | – | cvelist |
 | CVE-2009-4444 | 29 Dec 200921:00 | – | nvd |
 | Code injection | 29 Dec 200921:00 | – | prion |
 | CVE-2009-4444 | 9 Jan 202611:54 | – | redhatcve |
 | R7-0036: FCKEditor.NET File Upload Code Execution | 2 Sep 201000:00 | – | securityvulns |
`R7-0036: FCKEditor.NET File Upload Code Execution
August 30, 2010
-- Vulnerability Details:
FCKEditor contains a file renaming bug that allows remote code execution. Specifically, it is possible to upload ASP code via the ASP.NET connector in FCKEditor. The vulnerability requires that the remote server be running IIS. This vulnerability has been confirmed on FCKEditor 2.5.1 and 2.6.6.
CVSS Vector: AV:R/AC:L/Au:NR/C:C/I:C/A:C
Browse to http://<ip>fckeditor/editor/filemanager/connectors/test.html and choose the ASP.NET connector. By uploading a file with the same name as an existing file, that includes an underscore followed by a dot, it is possible to bypass the file renaming mitigation in place. For instance, when uploading a file twice with the name:
myfile_.asp;.txt
The first file would be renamed
myfile__asp;.txt
BUT the second file will be renamed
myfile_.asp;(1).txt
Due to the IIS semi-colon vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444) the server will remotely execute myfile_.asp;(1).txt when the second file is accessed.
-- Vendor Response:
A new version of the .NET connector has been released to address this issue, it can be found at the URL below.
http://ckeditor.com/blog/FCKeditor.Net_2.6.4_released
-- Disclosure Timeline:
2010-08-17 - Vulnerability reported to the vendor via contact form
2010-08-17 - Vulnerability reported to the vendor via bug tracker
2010-08-19 - Vulnerability reported to the vendor via email
2010-08-27 - Vendor replied indicating a fix is in the works
2010-08-27 - Vendor schedules the fix for August 30th, 2010
2010-08-30 - Vendor releases version 2.6.4 to address the issue
-- Credit:
This vulnerability was discovered by Will Vandevanter of the Rapid7 professional services team during a customer engagement.
-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.
Our vulnerability disclosure policy is available online at:
http://www.rapid7.com/disclosure.jsp
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Aug 2010 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.58584