FCKEditor Core ASP 2.6.8 – Arbitrary File Upload Protection Bypass

• Exploit Database
• 38 阅读

• 作者： Soroush Dalili
  日期： 2012-11-29
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/23005/

• - Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
  - Credit goes to: Mostafa Azizi, Soroush Dalili
  - Link: http://sourceforge.net/projects/fckeditor/files/FCKeditor/
  - Description:
  There is no validation on the extensions when FCKEditor 2.6.8 ASP version is 
  dealing with the duplicate files. As a result, it is possible to bypass 
  the protection and upload a file with any extension.
  
  - Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
  - Solution: Please check the provided reference or the vendor website.
  - PoC: http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
  
  Duplicate files do not have proper validation on their extensions.
  
  As a result, it is possible to upload any file with any extension on the server by using Null Character.
  
  Applications on IIS6 can also use "file.asp;gif" pattern.
  - Solution: In "config.asp", wherever you have: ConfigAllowedExtensions.Add "File","EXTENSION HERE" Change it to: ConfigAllowedExtensions.Add "File","^(Extensions HERE)$"
  - Vulnerability: Vulnerable File: commands.asp Function: FileUpload() Vulnerable Code: sFileName = RemoveExtension( sOriginalFileName ) & "(" & iCounter & ")." & sExtension
  
  
  
  
  Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
  
  In “config.asp”, wherever you have:
  
  ConfigAllowedExtensions.Add“File”,”Extensions Here”
  
  Change it to:
  
  ConfigAllowedExtensions.Add“File”,”^(Extensions Here)$”