Google
Free Ads
Ads United Kingdom
Ads Deutschland
Ads France
Ads Brasil
Ads India
Ads Mexico
Ads Argentina
Ads Österreich
Ads Belgique
Ads Chile
Ads Venezuela
Main Menu
HomeViso - Industry BookDictionaryFreeadsNewsDownloadsWeb LinksForumTutorialsPicture galleryNewsletterFAQRSS/XMLPartner SitesInformation
Information

Webmasters
Philippe 
frank 
ralph 

CMS - Content Management : Security - FCKeditor File Upload Vulnerability

Recommend Us
 • Propaganda I


 • Recent Discussions in the Forums

 ForumTopicRepliesViewsLast Post
Bug ReportsUsed parameters for the code inje..023122008/12/30 14:54
Bug ReportsScripts with a high Risk015142008/12/30 14:53
ModulesViso Branchenbuch 3.0016012008/11/27 0:49
ModulesQuestion to VISO-Yellow Pages978692007/8/9 9:31
ModulesProblème avec module newBBPlus 0...234122007/8/6 19:19
Blocksadding new block?955662007/7/31 19:53
ModulesPHP 5 and MySQL 5 compatible?656352007/7/3 22:33
ModulesImport/Export Export Viso Branche..139412007/7/2 20:37
ModulesNeed help to set only a feature t..554892007/7/2 0:11
»»  Visit Forums

Security : FCKeditor File Upload Vulnerability
Posted by frank on 2006/3/8 20:20:01 (1189 reads)

Security Secunia Advisory: SA18767 Print Advisory
Release Date: 2006-02-10
Last Update: 2006-02-16

Critical:
Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: FCKeditor 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CAN-2006-0658

Description:
rgod has discovered a vulnerability in FCKeditor, which potentially can be exploited by malicious people to compromise a vulnerable system.

The problem is that it is possible to upload arbitrary files to a location inside the web root if the file extension does not match the list of denied file extensions. This can e.g. be exploited to upload and execute a malicious PHP script with the ".php.txt" file extension.

Successful exploitation requires that file uploads have been enabled in the "config.php" configuration file (not enabled by default).

The vulnerability has been confirmed in version 2.2 and has also been reported in version 2.0. Other versions may also be affected.

Solution:
Disable file uploads in "config.php".

http://secunia.com/advisories/18767/

-->ExV2 did not use file upload from FCK Editor. So far there is no problem for ExV2.

 
Related Links

· More about Security

· News by frank
News Version 0.9.9
(2010/2/10 12:27:37)
News eXoops
(2009/8/30 0:42:27)
News Version 0.9.9
(2009/7/27 18:50:34)
News Meanwhile
(2009/4/23 21:55:15)
News 3271 attacks from 1002 Script Kids in 1 Year
(2008/12/30 14:24:27)

· Show all results

· More about frank

Most read story about Security
· FCKeditor File Upload Vulnerability

Last news about Security
· 3271 attacks from 1002 Script Kids in 1 Year

Printer Friendly Page  Send this Story to a Friend


frank Re: FCKeditor File Upload Vulnerability

Webmaster


Joined: 2005/7/12
Posts: 246
From: Berlin
ExV2 did not use file upload from FCK Editor. So far no problem.

--
A Developer and Webdesigner
powered by http://www.i-s-o.org
References: http://webdesign.i-s-o.org/sites/Verschiedenes/Referenzen/index.html
»2006/3/8 20:36 Profile Visit website

 • Propaganda II

WebDesign by www.i-s-o.org © 2007