FCKeditor connector.php任意檔案上傳漏洞

<a href="http://www.sebug.net/exploit/5799/">http://www.sebug.net/exploit/5799/</a>

FCKeditor是一款開放源碼的HTML文本編輯器。

FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php子產品中存在檔案上傳限制漏洞：

    147.    function FileUpload( $resourceType, $currentFolder )

    148.    {

    149.        $sErrorNumber = '0' ;

    150.        $sFileName = '' ;

    151.   

    152.        if ( isset( $_FILES['NewFile'] ) &amp;&amp; !is_null( $_FILES['NewFile']['tmp_name'] ) )

    153.        {

    154.            $oFile = $_FILES['NewFile'] ;

    155.   

    156.            // Map the virtual path to the local server path.

    157.            $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;

    158.   

    159.            // Get the uploaded file name.

    160.            $sFileName = $oFile['name'] ;

    161.            $sOriginalFileName = $sFileName ;

    162.            // Security fix by truzone 01-15-2006

    163.            //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;

    164.            //$sExtension = strtolower( $sExtension ) ;

    165.   

    166.            if(extension_loaded("mime_magic")){

    167.            $sExtension = mime_content_type($oFile['tmp_name']);

    168.            }else{

    169.            $sExtension = $oFile['type'];

    170.            }

    171.            // en of security fix by truzone 01-15-2006

    172.            global $Config ;

    173.   

    174.            $arAllowed    = $Config['AllowedExtensions'][$resourceType] ;

    175.            $arDenied    = $Config['DeniedExtensions'][$resourceType] ;

由于166-170行僅檢查了MIME類型的上傳請求，是以遠端攻擊者可以通過pht擴充名向Web伺服器上傳惡意腳本。