BUGTRAQ ID: 31812 CVE(CAN) ID: CVE-2008-6178 FCKeditor是一款开放源码的HTML文本编辑器。 FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞: 147. function FileUpload( $resourceType, $currentFolder ) 148. { 149. $sErrorNumber = '0' ; 150. $sFileName = '' ; 151. 152. if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) ) 153. { 154. $oFile = $_FILES['NewFile'] ; 155. 156. // Map the virtual path to the local server path. 157. $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ; 158. 159. // Get the uploaded file name. 160. $sFileName = $oFile['name'] ; 161. $sOriginalFileName = $sFileName ; 162. // Security fix by truzone 01-15-2006 163. //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ; 164. //$sExtension = strtolower( $sExtension ) ; 165. 166. if(extension_loaded("mime_magic")){ 167. $sExtension = mime_content_type($oFile['tmp_name']); 168. }else{ 169. $sExtension = $oFile['type'];...
BUGTRAQ ID: 31812 CVE(CAN) ID: CVE-2008-6178 FCKeditor是一款开放源码的HTML文本编辑器。 FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞: 147. function FileUpload( $resourceType, $currentFolder ) 148. { 149. $sErrorNumber = '0' ; 150. $sFileName = '' ; 151. 152. if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) ) 153. { 154. $oFile = $_FILES['NewFile'] ; 155. 156. // Map the virtual path to the local server path. 157. $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ; 158. 159. // Get the uploaded file name. 160. $sFileName = $oFile['name'] ; 161. $sOriginalFileName = $sFileName ; 162. // Security fix by truzone 01-15-2006 163. //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ; 164. //$sExtension = strtolower( $sExtension ) ; 165. 166. if(extension_loaded("mime_magic")){ 167. $sExtension = mime_content_type($oFile['tmp_name']); 168. }else{ 169. $sExtension = $oFile['type']; 170. } 171. // en of security fix by truzone 01-15-2006 172. global $Config ; 173. 174. $arAllowed = $Config['AllowedExtensions'][$resourceType] ; 175. $arDenied = $Config['DeniedExtensions'][$resourceType] ; 由于166-170行仅检查了MIME类型的上传请求,因此远程攻击者可以通过pht扩展名向Web服务器上传恶意脚本。 FCKeditor 2.2 厂商补丁: FCKeditor --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.fckeditor.net/ target=_blank rel=external nofollow>http://www.fckeditor.net/</a>
