Wednesday, May 26, 2010

FCKeditor not rocket science/fckeditor

Just the other day I was doing a test and I identified a website that used FCKeditor to modify the content of the web pages that they had. Basically this tool is an easy way to allow dum users to update whatever they want on their sites without the lazy and/or busy administrator to give support to the users. Pretty straight forward right? The problem that I found is that basically when this tool is installed and linked with the website some default configuration might be there that will allow internet users to upload files into the web application server. Now, I have to say that the by default extension like .jsp, .aspx or asp are not allowed however they flash files are alloowed and this might be where the fun bigins. The main idea that I have is that someone could basically upload a malicious file executing javascript on any user that opens this page. So the only thing that I did is a metasploit auxiliary module that detects if this tool is being used by a website and if it allowed to upload files into the server.

The module can be founded here: fckeditor-scan

Now if the only thing that you want is test this problem there are several steps that you have to follow.

Step 1

Look for the folder:

http://www.site.com/fckeditor/fckeditor.js

This file will have the configuration of the tool. At the end of the file you can see if the tool is configured to allow uploads of clients files.

Step 2

If the uploading of the files is enabled just open the following html file:

http://www.site.com/fckeditor/editor/filemanager/connectors/test.html

That file might give you all that you need to test if you can or not upload files into the web application server.

Some day I will elaborate a little bit more on this when I have time to test further more this problem but right now I am pretty sure that this caould help some of the people that are out there. Hope it does.


c4an.