Website bug fix ueditor Vulnerability arbitrary file Upload Vulnerability 2018. NET new

Ueditor recently exposed to high-risk loopholes, including the current official Ueditor 1.4.3.3 latest version, are affected by this vulnerability, Ueditor is the official Baidu technical team developed a front-end editor, you can upload pictures, write text, support custom HTML writing, Mobile and computer-side can be seamlessly docking, adaptive pages, pictures can automatically adapt to the current upload path and page scale, some video file upload, open source, efficient, stable, safe, has been well received by the Webmaster's favorite.

Baidu's Ueditor text editor, rarely exposed in recent years, there is no absolute, there will always be loopholes, the exposure of the vulnerability is. NET version, the other php,jsp,asp version is not affected by this ueditor vulnerability,. NET has arbitrary file upload, Bypassing the file format restrictions, in the acquisition of remote resources when the remote file format is not strictly filtered and judged, the attacker can upload arbitrary files including script execution files, including ASPX script Trojan, ASP script Trojan, can also exploit the Ueditor vulnerability to the server attack, The execution system name destroys the server, because the vulnerability severity is high, the victim website is more, the analysis and recurrence of this vulnerability is as follows:

We download the official Ueditor 1.4.3.3 version, select the. NET language, see the last update date is 2016-05-26, we find a server to build the ASPX environment, install iis7.5, we upload the file when the construction of a malicious HTML file, Facilitates our submission of data in the past:

Then we open the HTML to see, need a remote link to the file, here we can find a picture script Trojan, preferably a word picture pony, the pony file uploaded to our website server, the file name to Anquan.jpg? aspx, and then copy the Web site that is linked to the constructed HTML, such as:

Click Submit, upload success directly, and return to our ASPX script Trojan path address, we can use it when we open it.

Uedito Vulnerability Analysis

So how did the Uedito loophole occur? The most important is the use of IIS directory decompression function, while the decompression will go to access the controller files, including controller.aspx files, when uploaded to the site, will automatically extract and invoke some special application directory address, some directories can be remote call, we look at the following code:

So how to Uedito vulnerability to the site bug fix it?

1. The current temporary bug fix is recommended that the file upload directory settings without script execution permissions, Uploadvideo, Uploadimage, Catchimage, Uploadscrawl, UploadFile, and so on the directory are set without script permissions.

2. Before Baidu Ueditor official no patch, set the picture directory as read-only, prohibit writing.

3. Modify the source code of the program, the Crawlerhandler source file upload format of the strict filtering and judgment.

Website bug fix ueditor Vulnerability arbitrary file Upload Vulnerability 2018. NET new