The day began like all the other inconceivable days. Having come to work and having drunk a cup of cappuccino from a Chinese coffee machine, the sites of wool sat down. Here, having run into one of them, having studied the source code for a long time, I came across the markup characteristic of the well-known WYSIWYG editor - FCK. Anyone who has ever encountered problems of this kind of editors probably knows him well.
Actually the product itself is not in itself interesting and useful only to site administrators, since allows you to visually edit the page on the site. But he was interested in me from the point of view - how safe is its implementation in the CMS, especially due to the fact that it has a set of functionality for UPLOAD'u pictures on sites.
And about a miracle, the CMS developers out of the blue made several critical errors at once, immediately giving access to the execution of the source code on the site!
')
So what have they done?
1. Having installed the product out of the box, adjusting 2 values in the configuration, they considered that the product is ready for use, without paying attention to the fact that the product comes with a rich set of example
holes . So for example, the download script was available at a very predictable address /fckeditor/editor/filemanager/connectors/php/upload.php and the testilka was also attached to it, which comes as standard
2. The script is - it means it works! We make a small check and voila - the picture is on a foreign host. Breaking into? It seems not, but a step closer to the goal. We try to download PHP and bummer ... the script swears that this is an unresolved type of content.
3. We start to google and find a couple of articles about how you can take advantage of the vulnerability ... The first post indirectly pushes us to the idea of downloading the .htaccess file with processing rules such as .gif files like php5. We try - oops ... again failure - again the unresolved type of content. We go for coffee to think further
4. We fluently notice an article about the fact that supposedly there was some kind of bug in FCKEditor that allows you to upload a file to an arbitrary directory. We start to dig and find a few more articles, which boil down to the fact that if you download a file with the extension php.txt and specify the zero-byte directory at the end of the Source directory, it will cause the internal diarrhea of the verification function, thereby it will eat the extension. We gather on my knees and lo and behold - it really is so!
In the end - profit! We can easily upload .php files to the host and execute them! Vulnerability? Rather Hole!
Of course, I deliberately do not provide here a list of sites and the name of the vulnerable CMS. As an argument, I will say that it is very popular in narrow circles. As a fact - many sites on this CMS were full of holes. Many of them I sent letters with information about the vulnerability, but as practice shows, it is good if at least 10 percent read and one percent attend to this problem.
So what am I talking about - Never, Never, and never again, put the distribution kit components without examining it for the presence of "fleas". When uploading any data, make sure that they go to a directory in which the web server will not execute them (in the apache it is disabled in .htaccess). It is precisely this component that can later serve the intruder as the front door.
For the purposes of PR, I’ll draw your attention to the fact that there is a prototype of the standard, developed with the participation of distinguished colleagues from Habr (https://docs.google.com/document/d/1sbDhyX8Reu8vgEHzhyltXH6dQYzG4lQV7Lmw2ryjsX0/edit), which calls for protection against this kind of bugs to protect from such soproshchus of such errors, which protects from similar soploshchuyas of protection programs. But our realities are such that until the thunder breaks out - the potatoes will not sprout :)