Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-177: FCKeditor input sanitization errors

[CVE-2009-2265]

July 6, 2009 12:00 GMT
PROBLEM: FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability.
PLATFORM: FCKeditor 2.6.4 and below are vulnerable
ABSTRACT: The input of several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-177.shtml
  OTHER LINKS: ISC
http://isc.sans.org/diary.html?storyid=6730
SecurityFocus
http://www.securityfocus.com/archive/1/504721
oCERT
http://www.ocert.org/advisories/ocert-2009-007.html
  CVE: CVE-2009-2265
IMPACT ASSESSMENT: This risk is high. The vulnerability is being widely exploited to upload a cold fusion shell to web servers 
[***** Start CVE-2009-2265 *****]
Description:
FCKeditor, a web based open source HTML text editor, suffers from a remotefile upload vulnerability. The input of several connector modules is not properly verified before beingused, this leads to exposure of the contents of arbitrary directories on theserver filesystem and allows file uploading to arbitrary locations. Theaffected code is remotely exposed before authentication. An attacker canexploit this vulnerability to install remote shells on the victim serveramong other things, it should be noted that this vulnerability is beingactively exploited in the wild.

Additionally several XSS vulnerabilities are present in the packaged samplesdirectory.

Solution:

A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the followingmitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files thatmay have been previously uploaded, as an example image directories
(eg. 'fckeditor/editor/images/...') are well known target locationsfor remote php shells with extensions that match image files* completely remove the '_samples' directoryAffected version: FCKeditor <= 2.6.4(version 3.0 is unaffected as it does not have any built-in file browser)Fixed version:FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET)

Credit: vulnerability report received from Vinny Guido .
CVE: CVE-2009-2265Timeline:2009-05-03: vulnerability reported received 2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE2009-07-03: preliminary advisory release with mitigation instructions due towide exposure of the issue
Permalink:
http://www.ocert.org/advisories/ocert-2009-007.html


[***** End CVE-2009-2265 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788