标题: FCKEditor 2.6.8文件上传和CKFinder/FCKEditor DoS漏洞 [打印本页] 作者: admin 时间: 2012-12-10 10:20 标题: FCKEditor 2.6.8文件上传和CKFinder/FCKEditor DoS漏洞 感谢生生不息在freebuf社区”分享团”里给出线索,才有了本文 ' ^2 M2 P- a5 U+ G& ], S0 ?0 P( _, p6 `% J
原帖:http://club.freebuf.com/?/question/129#reply12 * R; s* K3 d; R: V2 u9 a- U, y2 v6 x& |% y
FCKEditor 2.6.8文件上传漏洞3 T! m4 q, @5 c
0 g: K' l. i, r3 l1 @5 E
Exploit-db上原文如下: ( R: Q) h* f2 D1 `9 f- m6 ^, \. m. K/ A3 v# M* T9 `
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass - ?: N. h! w$ \2 K8 e' J* f6 A- Credit goes to: Mostafa Azizi, Soroush Dalili $ G+ k0 _3 k: D; d: P1 x% S. [$ M2 p- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/ 3 S& k$ I/ i5 R* u. o! d, t" D- Description: # o; \7 L0 j. C& xThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is. \( i: I8 l/ u: B
dealing with the duplicate files. As a result, it is possible to bypass * B) Z7 n, L W athe protection and upload a file with any extension.( L9 R9 P9 p7 Z# j3 f
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/: W1 I, E* P0 c0 Z# ?* w( c
- Solution: Please check the provided reference or the vendor website.8 B6 S( |0 W, Z
/ d0 u$ b# i+ p6 `9 c6 o) f- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720 + k3 \ D8 e/ Y9 V: {1 R7 t: a"$ G; z/ z, r% _; F# v
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:$ @2 c- b0 P0 o/ x
/ d, G. w) I/ h& R f
In “config.asp”, wherever you have: ; ]2 V- V6 w- }- [0 r4 n3 N ConfigAllowedExtensions.Add “File”,”Extensions Here”# B5 T7 p0 q/ v3 U" c3 F2 O
Change it to:$ o5 e6 g- V: B2 S
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”在视频(需翻墙)里,我们可以看的很清楚: S" f4 k: z4 z7 L6 Y- p. n" l
- `+ x6 d* f6 Z) A x8 C
1.首先,aspx是禁止上传的. {9 a) k# ^. q# @1 u& }6 m
2.使用%00截断(url decode),第一次上传文件名会被转成_符号 2 v4 v. N, E- n9 M0 B" ?0 A; D, G, }& z% p( Q$ X. P3 k
) H! g( h: X/ @