oCERT-2009-007 FCKeditor input sanitization errors

Description:

FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability.

The input passed to the CurrentFolder parameter in several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild.

Additionally several XSS vulnerabilities are present in the packaged samples directory.

While upgrading is strongly recommended the following mitigation instructions can be implemented as a workaround:

removed unused connectors from 'editor\filemanager\connectors'

disable the file browser in config.ext

inspect the default upload path (eg. '/userfiles/') for suspicious files

inspect all fckeditor folders on the server for suspicious files that may have been uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files

remove the '_samples' directory

Affected version:

FCKeditor <= 2.6.4

(version 3.0 is unaffected as it does not have any built-in file browser)

The following packages were identified as affected as they statically include fckeditor in their own packages.

Knowledgeroot <= 0.9.9

GForge <= 5.6.1

Fixed version:

FCKeditor >= 2.6.4.1

Knowledgeroot >= 0.9.9.1

GForge, N/A

Credit: vulnerability report received from Vinny Guido <bigvin [at] hushmail [dot] com>.

CVE: CVE-2009-2265

2009-05-03: vulnerability reported received

2009-05-04: contacted fckeditor maintainer

2009-05-25: maintainer denies reported issues against latest version

2009-05-25: reporter confirms that latest version is affected

2009-06-21: maintainer forwards report to project security maintainer

2009-06-23: security maintainer confirms CurrentFolder vulnerability

2009-06-24: security maintainer provides patch

2009-06-29: assigned CVE

2009-07-03: reporter and oCERT request disclosure, maintainer requests embargo until security release

2009-07-03: preliminary advisory release with mitigation instructions due to wide exposure of the issue

2009-07-06: added more affected packages, security patch provided to affected vendors

2009-07-06: fckeditor 2.6.4.1 released

2009-07-07: updated workarounds list

2009-07-07: knowledgeroot 0.9.9.1 released

