oCERT-2009-007 FCKeditor input sanitization errors

Description:

FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability.

The input passed to the CurrentFolder parameter in several connector modules is not properly verified before being used, this leads to exposure of the contents of arbitrary directories on the server filesystem and allows file uploading to arbitrary locations. The affected code is remotely exposed before authentication. An attacker can exploit this vulnerability to install remote shells on the victim server among other things, it should be noted that this vulnerability is being actively exploited in the wild.

Additionally several XSS vulnerabilities are present in the packaged samples directory.

While upgrading is strongly recommended the following mitigation instructions can be implemented as a workaround:

Affected version:

FCKeditor <= 2.6.4

(version 3.0 is unaffected as it does not have any built-in file browser)

The following packages were identified as affected as they statically include fckeditor in their own packages.

Knowledgeroot <= 0.9.9

GForge <= 5.6.1

Fixed version:

FCKeditor >= 2.6.4.1

Knowledgeroot >= 0.9.9.1

GForge, N/A

Credit: vulnerability report received from Vinny Guido <bigvin [at] hushmail [dot] com>.

CVE: CVE-2009-2265

Timeline:

2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
2009-06-29: assigned CVE
2009-07-03: reporter and oCERT request disclosure, maintainer requests embargo until security release
2009-07-03: preliminary advisory release with mitigation instructions due to wide exposure of the issue
2009-07-06: added more affected packages, security patch provided to affected vendors
2009-07-06: fckeditor 2.6.4.1 released
2009-07-07: updated workarounds list
2009-07-07: knowledgeroot 0.9.9.1 released