Exploiting PHP Upload Module of FCKEditor
4
Abstract
The PHP file upload module in FCKEditor allows developers to offer file upload
functionality to end users. This paper describes a vulnerability which allows attackers
to bypass file-type checks in this module and upload malicious PHP code into the web
servers.
Introduction
FCKEditor (now CKeditor) is an open source WYSIWYG text editor from CKSource
that can be integrated into web applications, to give end users word processor like
interface. FCK stands for ‘Frederico Caldeira Knabben’, the creator of the project, and
the first version was released in 2003.
This editor supports many server side languages like ASP, ASP.NET, PHP etc. The PHP
upload module, for PHP web applications, has a vulnerability which allows remote
attackers to bypass file-type checks. This vulnerability was discovered during the
course of our website audit work.
The vulnerability affects FCKEditor versions 2.6.4 and below.
Note: A different recently discovered vulnerability in the ASP.NET connector file allows
attackers to upload malicious ASP code into vulnerable servers.
Exploits
FCKEditor has built-in ‘filemanager’ package, which allows developers to offer a file
upload and management module to web site end users. For PHP web applications, one
of the relevant files is ‘upload.php’, which is available at the following location:
<site name><fckeditor>/editor/filemanager/connectors/php/upload.php
This file allows end users to upload files into the web server. It has a built in file-type
checker which does not allow PHP files to be uploaded, but a new vulnerability allows
remote attackers to bypass this vulnerability.
评论0