http://www.sebug.net/exploit/5799/
FCKeditor是一款开放源码的HTML文本编辑器。
FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞:
147. function FileUpload( $resourceType, $currentFolder )
148. {
149. $sErrorNumber = '0' ;
150. $sFileName = '' ;
151.
152. if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
153. {
154. $oFile = $_FILES['NewFile'] ;
155.
156. // Map the virtual path to the local server path.
157. $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
158.
159. // Get the uploaded file name.
160. $sFileName = $oFile['name'] ;
161. $sOriginalFileName = $sFileName ;
162. // Security fix by truzone 01-15-2006
163. //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
164. //$sExtension = strtolower( $sExtension ) ;
165.
166. if(extension_loaded("mime_magic")){
167. $sExtension = mime_content_type($oFile['tmp_name']);
168. }else{
169. $sExtension = $oFile['type'];
170. }
171. // en of security fix by truzone 01-15-2006
172. global $Config ;
173.
174. $arAllowed = $Config['AllowedExtensions'][$resourceType] ;
175. $arDenied = $Config['DeniedExtensions'][$resourceType] ;
由于166-170行仅检查了MIME类型的上传请求,因此远程攻击者可以通过pht扩展名向Web服务器上传恶意脚本。
