标题: FCKEditor 2.6.8文件上传和CKFinder/FCKEditor DoS漏洞 [打印本页] 作者: admin 时间: 2012-12-10 10:20 标题: FCKEditor 2.6.8文件上传和CKFinder/FCKEditor DoS漏洞 感谢生生不息在freebuf社区”分享团”里给出线索,才有了本文% l3 r5 n& n3 d& r' T& c- N
0 n& X( {# u5 m
原帖:http://club.freebuf.com/?/question/129#reply12$ n$ _8 M5 B" y3 v: T( R
7 q/ |2 U. q& h: i3 Q1 R* N
FCKEditor 2.6.8文件上传漏洞 & {; _$ d, K% c8 {, P' T s: V& x. n/ O
Exploit-db上原文如下:6 w/ F9 e$ T; T' ^! c
1 m, C# K$ ?- R% P2 d/ S. ]: g
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass 2 C) K& _: T# h6 E& e7 Q. ?- Credit goes to: Mostafa Azizi, Soroush Dalili- B' g; y |& Z5 s v
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/ " M8 `& ^$ v, R6 k2 W- Description:& f2 [1 h4 i+ i! q% s7 j
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is2 B# |" j6 b& C: `. I* |8 ], h" a
dealing with the duplicate files. As a result, it is possible to bypass ^; R0 |$ c, E; cthe protection and upload a file with any extension.* D2 A3 ^1 `1 D
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/ 1 L# U! \. @% b2 z+ u- Solution: Please check the provided reference or the vendor website.# s/ J/ r3 v# D" S% c# |; q
6 g9 d! j" K9 Z4 d; [1 r& Y- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720! M \# N, e: M8 o1 n. k+ Z
"7 G `: A9 [: U
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:% E( O/ ? u) q Q) P( k, @
; A+ s5 N7 K* x
In “config.asp”, wherever you have: 6 g6 S5 g2 y+ t T ConfigAllowedExtensions.Add “File”,”Extensions Here” ; X3 x, H+ u4 Z) K: y) tChange it to:+ |' R3 D1 C I/ l) z: Y
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”在视频(需翻墙)里,我们可以看的很清楚:; u- }& Q4 T+ Y% r
; M& ^- }4 K' X' j1.首先,aspx是禁止上传的 8 K p" k& }; h/ U% \% J2.使用%00截断(url decode),第一次上传文件名会被转成_符号. Q: }0 U/ H$ Q' X$ h; x
. Q1 t1 G4 g: C9 {
3 ]; e& U+ l0 Y
" a. \$ ^- B7 ]" p" [: O1 u2 m% r6 F- }
接下来,我们进行第二次上传时,奇迹就发生了' ^1 z( f* k N! k, u: g- D9 K" |
- j& \9 T6 V5 {4 R2 |! k
/ Y" M/ `- x5 y, @+ r5 J
, H7 u6 z6 j% e# w
代码层面分析可以看下http://lanu.sinaapp.com/ASPVBvbscript/121.html & G$ s4 C" ]! \0 u" I+ \6 t; O # G ~$ J8 {) q3 L! c7 l % i, X! e( c' R: K, j! o 5 O" J4 x$ c+ k$ ?CKFinder/FCKEditor DoS漏洞7 n& N9 ]+ U8 ~, w
& `. {+ R- N; O相比上个上传bug,下面这个漏洞个人觉得更有意思- i8 |: f& v, H' w$ r
" [) u, c6 Y" @1 H3 R! c) k3 H, p) q
% y7 }2 Z1 y: G& N
8 d3 v5 G+ N9 Y, mCKFinder是一个强大而易于使用的Web浏览器的Ajax文件管理器。 其简单的界面使得它直观,快速学习的各类用户,从高级人才到互联网初学者。 / P5 `- W% b f R# d ) W! Y% H2 D4 x: UCKFinder ASP版本是这样处理上传文件的:1 i/ G" t# t; Y D1 D4 M$ P9 v( n