Fckeditor <=2.4.2 For php 任意上传文件漏洞

    [阴 December 18, 2007 16:56 | by ]
Infos: Fckeditor <=2.4.2 For php 任意上传文件漏洞
Author: Maple-x
Date: 18/12/2007
FCKeditor是一款非常优秀的HTML在线编辑器。在处理PHP上传的地方存在严重的安全漏洞
导致用户可以上传任意文件
在fckeditor/editor/filemanager/upload/php/upload.php 61行
$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
// Check if it is an allowed type.
if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
    SendResults( 1, '', '', 'Invalid type specified' ) ;


// Get the allowed and denied extensions arrays.
$arAllowed  = $Config['AllowedExtensions'][$sType] ;
$arDenied   = $Config['DeniedExtensions'][$sType] ;
// Check if it is an allowed extension.
if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) )
|| ( count($arDenied) > 0 && in_array( $sExtension,
$arDenied ) ) )
    SendResults( '202' ) ;


程序从$_GET数组中获取Type变量,然后通过in_array进行类型判断。
但在config配置文件中

$Config['ForceSingleExtension'] = true ;
$Config['AllowedExtensions']['File']    = array() ;
$Config['DeniedExtensions']['File'] =
array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','­asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js­','reg','cgi','htaccess','asis') ;
$Config['AllowedExtensions']['Image']   =
array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image']    = array() ;
$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
$Config['DeniedExtensions']['Flash']    = array() ;


并未对Media类型进行上传文件类型的控制,导致用户上传任意文件

修补办法:更新到最新的2.5版本。或者在config.php文件中,添加对Media类型的文件类型限制

感谢YY小组里,每天淡B的各位

Technology | Comments(0) | Trackbacks(0) | Reads(20408)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive