FCKeditor input sanitization errors

2009-07-06 / 2009-07-07
Credit: Andrea Barisani
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2009-2265 | CVE-2009-2324
CWE: CWE-22

#2009-007 FCKeditor input sanitization errors Description: FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability. The input of several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild. Additionally several XSS vulnerabilities are present in the packaged samples directory. A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions: * removed unused connectors from 'editor\filemanager\connectors' * disable the file browser in config.ext * inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files * completely remove the '_samples' directory Affected version: FCKeditor <= 2.6.4 (version 3.0 is unaffected as it does not have any built-in file browser) Fixed version: FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET) Credit: vulnerability report received from Vinny Guido <bigvin [at] hushmail [dot] com>. CVE: CVE-2009-2265 Timeline: 2009-05-03: vulnerability reported received 2009-05-04: contacted fckeditor maintainer 2009-05-25: maintainer denies reported issues against latest version 2009-05-25: reporter confirms that latest version is affected 2009-06-21: maintainer forwards report to project security maintainer 2009-06-23: security maintainer confirms CurrentFolder vulnerability 2009-06-24: security maintainer provides patch 2009-06-29: assigned CVE 2009-07-03: preliminary advisory release with mitigation instructions due to wide exposure of the issue Permalink: http://www.ocert.org/advisories/ocert-2009-007.html

References:

http://www.ocert.org/advisories/ocert-2009-007.html
http://www.securityfocus.com/archive/1/archive/1/504721/100/0/threaded
http://isc.sans.org/diary.html?storyid=6724


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top