Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Friday, May 16 2008 @ 02:30 AM EDT
   

Exploit for FCKeditor's mcpuk file manager

Friday, June 30 2006 @ 07:15 AM EDT
Contributed by: Dirk
Views: 10,646
Security

While yesterday's exploit only affected incorrect Geeklog installs, this new one is more serious:

An exploit has been posted for the "mcpuk" file manager that we're shipping with FCKeditor in Geeklog 1.4.0. The exploit allows an attacker to upload and execute arbitrary code.

While FCKeditor is not enabled by default, this exploit works even when FCKeditor is disabled, as it calls the vulnerable file directly. So it is not enough to disable FCKeditor in config.php.

If you don't plan to use FCKeditor on your site, you can simply remove the entire 'fckeditor' subdirectory (from Geeklog's public_html). Otherwise, you will have to remove the file manager as explained below ...

To remove the file manager, go to the 'fckeditor/editor' directory (again, in Geeklog's 'public_html' directory) and remove the entire 'filemanager' subdirectory. Then, you should disable the file manager in the FCKeditor configuration file, 'fckconfig.js'. It contains the following three options, all of which should be set to "false" to disable the file manager: 

FCKConfig.LinkBrowser = false;
(...)
FCKConfig.ImageBrowser = false;
(...)
FCKConfig.FlashBrowser = false;

Next, you should check if anyone managed to upload malicious code to your site. Check the four subdirectories below 'images/library' (named 'File', 'Flash', 'Image', and 'Media') for suspicous files, i.e. ones that you didn't upload yourself. The published exploit uses files whos names contains 'suntzu' - remove those.

After these changes, FCKeditor should continue to work, but you won't be able to upload files with it. If you'd rather have the upload capabilities back, you could upgrade to the recently released FCKeditor 2.3 (instructions can be found in the forum).

 

What's Related

Story Options

Trackback

Trackback URL for this entry: http://www.geeklog.net/trackback.php/exploit-for-fckeditor-filemanager

Here's what others have to say about 'Exploit for FCKeditor's mcpuk file manager':

New Geeklog Exploit from Media Gallery Support
There have been a couple of new Geeklog exploits released into the wild and in the hands of script kiddies everywhere! We are already seeing hundreds of attempts each day in the logs here. Please see this article at the main Geeklog Site for more info. [read more]
Tracked on Friday, June 30 2006 @ 09:27 AM EDT

Geeklog - Geeklog 1.4.0sr4
Tracked on Friday, June 30 2006 @ 05:38 PM EDT

Geeklog - Geeklog 1.4.0sr5-1 and 1.3.11sr7-1 bugfix releases
Tracked on Sunday, July 23 2006 @ 03:10 PM EDT

Geeklog - Bugfixes: Geeklog 1.4.0sr5-1 und 1.3.11sr7-1
Tracked on Sunday, July 23 2006 @ 03:17 PM EDT

Exploit for FCKeditor's mcpuk file manager | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.

© 2002-2008 Geeklog
Created this page in 0.37 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com