FCKeditor2.0-2.4.3arbitraryfileupload
# Author: grabz
# Software Link: http://sourceforge.net/projects/fckeditor/
# Version: FCKeditor 2.x <= 2.4.3
# Tested on: 2.0, 2.2, 2.3.2, 2.4.0, 2.4.3
for version 2.0 – 2.2:
in file FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET[`Type`] ) ? $_GET[`Type`] : `File` ;
#
#// Get the allowed and denied extensions arrays.
#$arAllowed = $Config[`AllowedExtensions`][$sType] ;
#$arDenied = $Config[`DeniedExtensions`][$sType] ;
we can send as Type any text that not contained in (File, Flash, Image) and
then we can upload file with any extension like “.php”
for version 2.3.0 – 2.4.3:
in file FCKeditor/editor/filemanager/upload/php/upload.php
#$sType = isset( $_GET[`Type`] ) ? $_GET[`Type`] : `File` ;
#
#// Check if it is an allowed type.
#if ( !in_array( $sType, array(`File`,`Image`,`Flash`,`Media`) ) )
# SendResults( 1, “, “, `Invalid type specified` ) ;
#
#// Get the allowed and denied extensions arrays.
#$arAllowed = $Config[`AllowedExtensions`][$sType] ;
#$arDenied = $Config[`DeniedExtensions`][$sType] ;
in this code we can see filter by Type, but in config.php
$Config[`AllowedExtensions`][`Media`] and
$Config[`DeniedExtensions`][`Media`] not exists))
if we send Type=Media, we can upload any file)
#Exploit