FCKeditor Alternative Data Stream Arbitrary File Upload Vulnerability
TITLE: FCKeditor Alternative Data Stream Arbitrary File Upload Vulnerability
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 18 2007 12:00AM
UPDATE: Jun 18 2007 12:00AM
CREDIT: Michael Schramm is credited with the discovery of this vulnerability.
VULNERABLE:
Frederico Caldeira Knabben FCKeditor 2.4.3NOT VULNERABLE:
Vai alla pagina originale su Security Focus
Discussion
FCKeditor is prone to an arbitrary file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input
Attackers can exploit this vulnerability to upload arbitrary PHP files and execute it in the context of the webserver process.
This issue affects version 2.4.3; other versions may also be affected.
Exploit
An attacker can exploit this issue through a web-client.
Solution
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
References
References:
- FCKEditor Homepage (Frederico Caldeira Knabben)