728x90
FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically for this file manager plugin:
HEAD /js/fckeditor/editor/filemanager/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html HEAD /admin/FCKeditor/editor/fckeditor.htmlHEAD /include/fckeditor/_samples/default.html HEAD /include/fckeditor/editor/filemanager/connectors/test.htmlThese requests did not set a user agent or a referrer. The following set did however use "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;" and instead of a HEAD request it used a GET request, indicating that there are different distinct tools looking for the same vulnerability:
GET /editor/editor/filemanager/connectors/uploadtest.html HTTP/1.1GET /editor/editor/filemanager/upload/test.html HTTP/1.1GET /editor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1GET /editor/editor/filemanager/connectors/test.html HTTP/1.1GET /admin/fckeditor/editor/filemanager/connectors/test.html HTTP/1.1GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1GET /Fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1GET /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1GET /admin/FCKeditor/editor/filemanager/upload/test.html HTTP/1.1GET /Fckeditor/editor/filemanager/connectors/test.html HTTP/1.1GET /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1
GET /FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1
I am still looking for any samples of files these script attempt to upload. If you got any, please let use know.
[1] http://ckeditor.com
------
Johannes B. Ullrich, Ph.D.
728x90
'Security_News > 해외보안소식' 카테고리의 다른 글
| From Windows to Droids: An insight in to multi vector attack mechanisms in RATs (0) | 2014.03.18 |
|---|---|
| 말레이시아 항공기실종을 악용한 scam 주의 (0) | 2014.03.18 |
| Agent.btz: a source of inspiration? (0) | 2014.03.18 |
| Analysis of, Malware from the MtGox leak archive (0) | 2014.03.18 |
| Taking Aim at the Energy Sector: Three Steps to Defend Against a Rising Number of Attacks (0) | 2014.03.18 |