oCERT-2009-007 FCKeditor input sanitization errors
FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability.
The input passed to the CurrentFolder parameter in several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild.
Additionally several XSS vulnerabilities are present in the packaged samples directory.
While upgrading is strongly recommended the following mitigation instructions can be implemented as a workaround:
- removed unused connectors from 'editor\filemanager\connectors'
- disable the file browser in config.ext
- inspect the default upload path (eg. '/userfiles/') for suspicious files
- inspect all fckeditor folders on the server for suspicious files that may have been uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
- remove the '_samples' directory
FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
The following packages were identified as affected as they statically include fckeditor in their own packages.
Knowledgeroot <= 0.9.9
GForge <= 5.6.1
FCKeditor >= 188.8.131.52
Knowledgeroot >= 0.9.9.1
Credit: vulnerability report received from Vinny Guido <bigvin [at] hushmail [dot] com>.
2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE
2009-07-03: reporter and oCERT request disclosure, maintainer requests embargo until security release
2009-07-03: preliminary advisory release with mitigation instructions due to wide exposure of the issue
2009-07-06: added more affected packages, security patch provided to affected vendors
2009-07-06: fckeditor 184.108.40.206 released
2009-07-07: updated workarounds list
2009-07-07: knowledgeroot 0.9.9.1 released