FCKEditor ASP 2.6.8 - File Upload Protection Bypass

EDB-ID: 23005 CVE: N/A OSVDB-ID: 89282
Verified: Author: Soroush Dalili Published: 2012-11-29
Download Exploit: Source Raw Download Vulnerable App: N/A
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is 
dealing with the duplicate files. As a result, it is possible to bypass 
the protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.

- PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720

Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:

In “config.asp”, wherever you have:

      ConfigAllowedExtensions.Add    “File”,”Extensions Here”

Change it to:

      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”