FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.
Examples:
http://www.exploit-db.com/exploits/12697/
http://www.exploit-db.com/exploits/15484/
http://www.exploit-db.com/exploits/17644/
Big O'l list on Exploit-DB
CVEdetails on FCKeditor.
LOW?
Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).
There is a good write-up of a classic case of FCKEditor abuse here:
http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf
Google Dorks
inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php
No comments:
Post a Comment