SANS Internet Storm Center

Scans for FCKEditor File Manager
FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically for this file manager plugin: `HEAD /js/fckeditor/editor/filemanager/connectors/test.html` `HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html` `HEAD /admin/FCKeditor/editor/fckeditor.html` `HEAD /include/fckeditor/_samples/default.html` `HEAD /include/fckeditor/editor/filemanager/connectors/test.html` These requests did not set a user agent or a referrer. The following set did however use "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;" and instead of a HEAD request it used a GET request, indicating that there are different distinct tools looking for the same vulnerability: `GET /editor/editor/filemanager/connectors/uploadtest.html HTTP/1.1` `GET /editor/editor/filemanager/upload/test.html HTTP/1.1` `GET /editor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1` `GET /editor/editor/filemanager/connectors/test.html HTTP/1.1` `GET /admin/fckeditor/editor/filemanager/connectors/test.html HTTP/1.1` `GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1` `GET /Fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1` `GET /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1` `GET /admin/FCKeditor/editor/filemanager/upload/test.html HTTP/1.1` `GET /Fckeditor/editor/filemanager/connectors/test.html HTTP/1.1` `GET /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1` I am still looking for any samples of files these script attempt to upload. If you got any, please let use know. [1] http://ckeditor.com ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022	Johannes 4349 Posts ISC Handler Mar 18th 2014
Thread locked Subscribe	Mar 18th 2014 7 years ago
i get the following gets /fckeditor/editor/filemanager/upload/aspx/upload.aspx?Command=CreateFolder&Type=Media&CurrentFolder=ali.asp&NewFolderName=hack.asp /fckeditor/editor/filemanager/upload/aspx/upload.aspx?Command=FileUpload&Type=File&CurrentFolder=%2F /fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=%2F	Anonymous
Quote	Nov 26th 2014 7 years ago
got a bunch of these over the past two days, noticed some webshell attempt alerts on the IDS, i guess they auto try to upload some files via fskeditor or whatever, and in the same breath try to reach the asp webshell to see if it worked.	TuggDougins 37 Posts
Quote	Mar 25th 2015 6 years ago

FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically for this file manager plugin:

HEAD /js/fckeditor/editor/filemanager/connectors/test.html

HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html

HEAD /admin/FCKeditor/editor/fckeditor.html

HEAD /include/fckeditor/_samples/default.html

HEAD /include/fckeditor/editor/filemanager/connectors/test.html

These requests did not set a user agent or a referrer. The following set did however use "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;" and instead of a HEAD request it used a GET request, indicating that there are different distinct tools looking for the same vulnerability:

GET /editor/editor/filemanager/connectors/uploadtest.html HTTP/1.1

GET /editor/editor/filemanager/upload/test.html HTTP/1.1

GET /editor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1

GET /editor/editor/filemanager/connectors/test.html HTTP/1.1

GET /admin/fckeditor/editor/filemanager/connectors/test.html HTTP/1.1

GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1

GET /Fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1

GET /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1

GET /admin/FCKeditor/editor/filemanager/upload/test.html HTTP/1.1

GET /Fckeditor/editor/filemanager/connectors/test.html HTTP/1.1

GET /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1

I am still looking for any samples of files these script attempt to upload. If you got any, please let use know.

[1] http://ckeditor.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4349 Posts
ISC Handler

Mar 18th 2014

i get the following gets

/fckeditor/editor/filemanager/upload/aspx/upload.aspx?Command=CreateFolder&Type=Media&CurrentFolder=ali.asp&NewFolderName=hack.asp
/fckeditor/editor/filemanager/upload/aspx/upload.aspx?Command=FileUpload&Type=File&CurrentFolder=%2F
/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=%2F

Anonymous

got a bunch of these over the past two days,

noticed some webshell attempt alerts on the IDS, i guess they auto try to upload some files via fskeditor or whatever, and in the same breath try to reach the asp webshell to see if it worked.

TuggDougins

37 Posts