SlideShare una empresa de Scribd logo

File upload-vulnerability-in-fck editor

Paolo Dolci
Paolo Dolci

PoC File Upload Vulnerability in FCKEditor

Tecnología
1 de 16
Descargar para leer sin conexión
Whitepaper Exploiting PHP Upload Module of FCKEditor Bypassing File-type Check Anant Kochhar Utkarsh Bhatt Sabyasachi Samanta
Exploiting PHP Upload Module of FCKEditor TABLE OF CONTENTS Abstract .............................................................. 4 Introduction......................................................... 4 Exploits ............................................................... 4 The Attack Scenario .............................................. 5 Vulnerable Versions ............................................ 15 Impact .............................................................. 15 Recommended Resolutions .................................. 15 About The Authors .............................................. 17 About SecurEyes ................................................ 17 Addendum* ....................................................... 17 3
Exploiting PHP Upload Module of FCKEditor Abstract The PHP file upload module in FCKEditor allows developers to offer file upload functionality to end users. This paper describes a vulnerability which allows attackers to bypass file-type checks in this module and upload malicious PHP code into the web servers. Introduction FCKEditor (now CKeditor) is an open source WYSIWYG text editor from CKSource that can be integrated into web applications, to give end users word processor like interface. FCK stands for ‘Frederico Caldeira Knabben’, the creator of the project, and the first version was released in 2003. This editor supports many server side languages like ASP, ASP.NET, PHP etc. The PHP upload module, for PHP web applications, has a vulnerability which allows remote attackers to bypass file-type checks. This vulnerability was discovered during the course of our website audit work. The vulnerability affects FCKEditor versions 2.6.4 and below. Note: A different recently discovered vulnerability in the ASP.NET connector file allows attackers to upload malicious ASP code into vulnerable servers. Exploits FCKEditor has built-in ‘filemanager’ package, which allows developers to offer a file upload and management module to web site end users. For PHP web applications, one of the relevant files is ‘upload.php’, which is available at the following location: <site name><fckeditor>/editor/filemanager/connectors/php/upload.php This file allows end users to upload files into the web server. It has a built in file-type checker which does not allow PHP files to be uploaded, but a new vulnerability allows remote attackers to bypass this vulnerability. 4
Exploiting PHP Upload Module of FCKEditor The Attack Scenario A website, http://www.vulnerable123.com, has integrated FCKEditor version 2.6.4. For the sake of this proof-of-concept, it is assumed that the test page, ‘uploadtest.html’, packaged with FCKEditor, has not been removed. Also, assume that there is no session-based access control check on any of the FCKEditor files, including ‘upload.php’, allowing remote attackers to access them without authentication. An attacker browses to the File Upload test page at the URL: http://www.vulnerable123.com/admin/FCKeditor_2.6.4/editor/filemanager/connectors /uploadtest.html He selects the ‘File Uploader’ as PHP, ‘Resource Type’ as File and selects a ‘.txt’ file. 5
Exploiting PHP Upload Module of FCKEditor The file was successfully uploaded as shown below. 6
Exploiting PHP Upload Module of FCKEditor The uploaded file location can be seen by browsing to the above encircled location. http://www.vulnerable123.com/userfiles/test.txt The raw HTTP traffic for this transaction, as intercepted in an HTTP proxy, has the following structure: 7
Exploiting PHP Upload Module of FCKEditor Next, the attacker tries to upload a PHP file. 8
Exploiting PHP Upload Module of FCKEditor On clicking the ‘Send it to the Server’ button, the file doesn’t get uploaded and the following ‘Invalid File’ message was displayed: From the above screen, it is evident that ‘upload.php’ implements a file-type check on all uploaded files. This check can be bypassed in the following way: Step#1: The attacker enters malicious PHP code into a ‘.txt’ file, which is valid file- type. Following is the malicious PHP content in the ‘exploit.txt’ file. 9
Exploiting PHP Upload Module of FCKEditor Step#2: The attacker clicks on the ‘Send it to the Server’ button and captures the request in an HTTP proxy: 10
Exploiting PHP Upload Module of FCKEditor He appends the following string to the value of the URL parameter ‘Current Folder’. command.php%00 11
Exploiting PHP Upload Module of FCKEditor Note: In the above screenshot ‘%00’ in the string is the Null Byte. The file was successfully updated as shown below: The attacker browses to the uploaded file URL and confirms that the malicious file has been uploaded: http://www.vulnerable123.com/userfiles/command.php 12
Exploiting PHP Upload Module of FCKEditor He enters a system command as shown below and clicks on the ‘Search’ button. dir C:xampphtdocsadmin He is shown the following details: 13
Exploiting PHP Upload Module of FCKEditor List of files and folders in the ‘admin’ directory The above screenshot shows that the command displayed the directory listing of the mentioned folder. What’s going on? 1) There is a proper validation for the file type in the ‘filename’ parameter. 2) The ‘exploit.txt’ file is uploaded successfully because ‘.txt’ is an allowed file- type. 3) The text file contains malicious PHP code, but since the server does not execute text files, it does not pose a security risk. 4) Instead of the ‘exploit.txt’ file, however, ‘command.php’ file is created on the server. 5) Moreover, the content of ‘command.php’ is the same as the content of ‘exploit.txt’ file. This happens because: 1) The ‘currentfolder’ URL parameter value gives the name of a sub-folder, in the upload folder where the file will be uploaded. 2) By inserting the ‘%00’ null byte character at the end of the sub-folder name, it is possible to create a new file instead of a new folder. 14
Exploiting PHP Upload Module of FCKEditor 3) This happens because the path of the file to be created looks like the following: /root/mysite/userfiles/command.php%00/exploit.txt 4) As the server ignores everything after the null byte, a new file is created called ‘command.php’ with the following location: /root/mysite/userfiles/command.php Vulnerable Versions This vulnerability affects FCKEditor versions 2.6.4 and below. Impact The impact of the above findings is SEVERE since attackers can upload malicious files, like web shells and completely compromise affected web servers. Recommended Resolutions These are some of the measures that should be taken to remove this vulnerability 1. Older versions of FCKEditor should be replaced with latest version of FCKEditor (CKEditor 3.6.6) to thwart the above vulnerabilities. 2. For FCKEditor of version 2.6.4 and less, the ‘currentfolder’ parameter can be disabled with the following code changes in the upload.php file: ‘sCurrentFolder = GetCurrentFolder()’ should be replaced with ‘sCurrentFolder = "/"’ 15
Exploiting PHP Upload Module of FCKEditor Vulnerable Code Safe Code 16
Exploiting PHP Upload Module of FCKEditor About The Authors Anant Kochhar, Utkarsh Bhatt and Sabyasachi Samanta are Information Security Consultants and they have, between them, secured several web applications. They can be reached at anant.kochhar@secureyes.net, utkarsh.bhatt@secureyes.net and sabyasachi.samanta@secureyes.net respectively. About SecurEyes SecurEyes is a Bangalore based firm specializing in IT security. SecurEyes offers a wide range of security services and products to its clients. For more information, please visit our website: http://www.secureyes.net/. Addendum* While we discovered this vulnerability independently and during the course of our work, it has recently come to our attention that this vulnerability was already in the public realm. This was an honest oversight on our part and we did not intend to take the credit away from those who discovered and disclosed this vulnerability first. More information is available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-2265 17

Recomendados

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 

Recomendados

"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin PolicyFabrizio Farinacci
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Intro to Reactive Programming
Intro to Reactive ProgrammingIntro to Reactive Programming
Intro to Reactive ProgrammingStéphane Maldini
 
Understanding Web Cache
Understanding Web CacheUnderstanding Web Cache
Understanding Web CacheProdigyView
 
Web development
Web developmentWeb development
Web developmentRaziyaChoudhary
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
Lfi
LfiLfi
Lfipenetration Tester
 
HTTP
HTTPHTTP
HTTPMaeEstherMaguadMaralit
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...SecuRing
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file uploadvikram vashisth
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
php secure
php securephp secure
php secureahmed zaichi
 

Más contenido relacionado

La actualidad más candente

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 
Intro to Reactive Programming
Intro to Reactive ProgrammingIntro to Reactive Programming
Intro to Reactive ProgrammingStéphane Maldini
 
Understanding Web Cache
Understanding Web CacheUnderstanding Web Cache
Understanding Web CacheProdigyView
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...SecuRing
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file uploadvikram vashisth
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 

La actualidad más candente (20)

The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Click jacking
Click jackingClick jacking
Click jacking
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto Jacking
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng Hưng
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Intro to Reactive Programming
Intro to Reactive ProgrammingIntro to Reactive Programming
Intro to Reactive Programming
 
Understanding Web Cache
Understanding Web CacheUnderstanding Web Cache
Understanding Web Cache
 
Web development
Web developmentWeb development
Web development
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
Lfi
LfiLfi
Lfi
 
HTTP
HTTPHTTP
HTTP
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file upload
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 

Similar a File upload-vulnerability-in-fck editor

Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntukesavan N B
 
Creating Sentiment Line Chart with Watson
Creating Sentiment Line Chart with Watson Creating Sentiment Line Chart with Watson
Creating Sentiment Line Chart with Watson Dev_Events
 
CodeIgniter Lab
CodeIgniter LabCodeIgniter Lab
CodeIgniter LabLeo Nguyen
 
Installing WordPress on AWS
Installing WordPress on AWSInstalling WordPress on AWS
Installing WordPress on AWSManish Jain
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsMunir Njiru
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank HackCaleb Sima
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Test automation with php codeception
Test automation with php codeceptionTest automation with php codeception
Test automation with php codeceptionbuddhieash
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Create Your Own Framework by Fabien Potencier
Create Your Own Framework by Fabien PotencierCreate Your Own Framework by Fabien Potencier
Create Your Own Framework by Fabien PotencierHimel Nag Rana
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 

Similar a File upload-vulnerability-in-fck editor (20)

Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
php secure
php securephp secure
php secure
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntu
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hacking
 
Creating Sentiment Line Chart with Watson
Creating Sentiment Line Chart with Watson Creating Sentiment Line Chart with Watson
Creating Sentiment Line Chart with Watson
 
CodeIgniter Lab
CodeIgniter LabCodeIgniter Lab
CodeIgniter Lab
 
Installing WordPress on AWS
Installing WordPress on AWSInstalling WordPress on AWS
Installing WordPress on AWS
 
News web application
News web applicationNews web application
News web application
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
XSS
XSSXSS
XSS
 
XSS
XSSXSS
XSS
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploits
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank Hack
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Test automation with php codeception
Test automation with php codeceptionTest automation with php codeception
Test automation with php codeception
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Create Your Own Framework by Fabien Potencier
Create Your Own Framework by Fabien PotencierCreate Your Own Framework by Fabien Potencier
Create Your Own Framework by Fabien Potencier
 
PHP Conference - Phalcon hands-on
PHP Conference - Phalcon hands-onPHP Conference - Phalcon hands-on
PHP Conference - Phalcon hands-on
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

File upload-vulnerability-in-fck editor

  • 1. Whitepaper Exploiting PHP Upload Module of FCKEditor Bypassing File-type Check Anant Kochhar Utkarsh Bhatt Sabyasachi Samanta
  • 2. Exploiting PHP Upload Module of FCKEditor TABLE OF CONTENTS Abstract .............................................................. 4 Introduction......................................................... 4 Exploits ............................................................... 4 The Attack Scenario .............................................. 5 Vulnerable Versions ............................................ 15 Impact .............................................................. 15 Recommended Resolutions .................................. 15 About The Authors .............................................. 17 About SecurEyes ................................................ 17 Addendum* ....................................................... 17 3
  • 3. Exploiting PHP Upload Module of FCKEditor Abstract The PHP file upload module in FCKEditor allows developers to offer file upload functionality to end users. This paper describes a vulnerability which allows attackers to bypass file-type checks in this module and upload malicious PHP code into the web servers. Introduction FCKEditor (now CKeditor) is an open source WYSIWYG text editor from CKSource that can be integrated into web applications, to give end users word processor like interface. FCK stands for ‘Frederico Caldeira Knabben’, the creator of the project, and the first version was released in 2003. This editor supports many server side languages like ASP, ASP.NET, PHP etc. The PHP upload module, for PHP web applications, has a vulnerability which allows remote attackers to bypass file-type checks. This vulnerability was discovered during the course of our website audit work. The vulnerability affects FCKEditor versions 2.6.4 and below. Note: A different recently discovered vulnerability in the ASP.NET connector file allows attackers to upload malicious ASP code into vulnerable servers. Exploits FCKEditor has built-in ‘filemanager’ package, which allows developers to offer a file upload and management module to web site end users. For PHP web applications, one of the relevant files is ‘upload.php’, which is available at the following location: <site name><fckeditor>/editor/filemanager/connectors/php/upload.php This file allows end users to upload files into the web server. It has a built in file-type checker which does not allow PHP files to be uploaded, but a new vulnerability allows remote attackers to bypass this vulnerability. 4
  • 4. Exploiting PHP Upload Module of FCKEditor The Attack Scenario A website, http://www.vulnerable123.com, has integrated FCKEditor version 2.6.4. For the sake of this proof-of-concept, it is assumed that the test page, ‘uploadtest.html’, packaged with FCKEditor, has not been removed. Also, assume that there is no session-based access control check on any of the FCKEditor files, including ‘upload.php’, allowing remote attackers to access them without authentication. An attacker browses to the File Upload test page at the URL: http://www.vulnerable123.com/admin/FCKeditor_2.6.4/editor/filemanager/connectors /uploadtest.html He selects the ‘File Uploader’ as PHP, ‘Resource Type’ as File and selects a ‘.txt’ file. 5
  • 5. Exploiting PHP Upload Module of FCKEditor The file was successfully uploaded as shown below. 6
  • 6. Exploiting PHP Upload Module of FCKEditor The uploaded file location can be seen by browsing to the above encircled location. http://www.vulnerable123.com/userfiles/test.txt The raw HTTP traffic for this transaction, as intercepted in an HTTP proxy, has the following structure: 7
  • 7. Exploiting PHP Upload Module of FCKEditor Next, the attacker tries to upload a PHP file. 8
  • 8. Exploiting PHP Upload Module of FCKEditor On clicking the ‘Send it to the Server’ button, the file doesn’t get uploaded and the following ‘Invalid File’ message was displayed: From the above screen, it is evident that ‘upload.php’ implements a file-type check on all uploaded files. This check can be bypassed in the following way: Step#1: The attacker enters malicious PHP code into a ‘.txt’ file, which is valid file- type. Following is the malicious PHP content in the ‘exploit.txt’ file. 9
  • 9. Exploiting PHP Upload Module of FCKEditor Step#2: The attacker clicks on the ‘Send it to the Server’ button and captures the request in an HTTP proxy: 10
  • 10. Exploiting PHP Upload Module of FCKEditor He appends the following string to the value of the URL parameter ‘Current Folder’. command.php%00 11
  • 11. Exploiting PHP Upload Module of FCKEditor Note: In the above screenshot ‘%00’ in the string is the Null Byte. The file was successfully updated as shown below: The attacker browses to the uploaded file URL and confirms that the malicious file has been uploaded: http://www.vulnerable123.com/userfiles/command.php 12
  • 12. Exploiting PHP Upload Module of FCKEditor He enters a system command as shown below and clicks on the ‘Search’ button. dir C:xampphtdocsadmin He is shown the following details: 13
  • 13. Exploiting PHP Upload Module of FCKEditor List of files and folders in the ‘admin’ directory The above screenshot shows that the command displayed the directory listing of the mentioned folder. What’s going on? 1) There is a proper validation for the file type in the ‘filename’ parameter. 2) The ‘exploit.txt’ file is uploaded successfully because ‘.txt’ is an allowed file- type. 3) The text file contains malicious PHP code, but since the server does not execute text files, it does not pose a security risk. 4) Instead of the ‘exploit.txt’ file, however, ‘command.php’ file is created on the server. 5) Moreover, the content of ‘command.php’ is the same as the content of ‘exploit.txt’ file. This happens because: 1) The ‘currentfolder’ URL parameter value gives the name of a sub-folder, in the upload folder where the file will be uploaded. 2) By inserting the ‘%00’ null byte character at the end of the sub-folder name, it is possible to create a new file instead of a new folder. 14
  • 14. Exploiting PHP Upload Module of FCKEditor 3) This happens because the path of the file to be created looks like the following: /root/mysite/userfiles/command.php%00/exploit.txt 4) As the server ignores everything after the null byte, a new file is created called ‘command.php’ with the following location: /root/mysite/userfiles/command.php Vulnerable Versions This vulnerability affects FCKEditor versions 2.6.4 and below. Impact The impact of the above findings is SEVERE since attackers can upload malicious files, like web shells and completely compromise affected web servers. Recommended Resolutions These are some of the measures that should be taken to remove this vulnerability 1. Older versions of FCKEditor should be replaced with latest version of FCKEditor (CKEditor 3.6.6) to thwart the above vulnerabilities. 2. For FCKEditor of version 2.6.4 and less, the ‘currentfolder’ parameter can be disabled with the following code changes in the upload.php file: ‘sCurrentFolder = GetCurrentFolder()’ should be replaced with ‘sCurrentFolder = "/"’ 15
  • 15. Exploiting PHP Upload Module of FCKEditor Vulnerable Code Safe Code 16
  • 16. Exploiting PHP Upload Module of FCKEditor About The Authors Anant Kochhar, Utkarsh Bhatt and Sabyasachi Samanta are Information Security Consultants and they have, between them, secured several web applications. They can be reached at anant.kochhar@secureyes.net, utkarsh.bhatt@secureyes.net and sabyasachi.samanta@secureyes.net respectively. About SecurEyes SecurEyes is a Bangalore based firm specializing in IT security. SecurEyes offers a wide range of security services and products to its clients. For more information, please visit our website: http://www.secureyes.net/. Addendum* While we discovered this vulnerability independently and during the course of our work, it has recently come to our attention that this vulnerability was already in the public realm. This was an honest oversight on our part and we did not intend to take the credit away from those who discovered and disclosed this vulnerability first. More information is available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-2265 17