Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Scans for Open File Uploads into CKEditor - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scans for Open File Uploads into CKEditor

We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found. 

Here are some sample reports:

Full sample POST request:

GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
HOST: --removed--
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)

Some sample Apache logs:

HEAD /FCKeditor/editor/filemanager/upload/test.html
HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /admin/FCKeditor/editor/filemanager/upload/test.html
HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /FCKeditor/editor/filemanager/upload/test.html

 

If you are using this module, make sure it is properly configured. It is recommended to password protect the editor if you can (of course, for a public blog comment system that may not be an answer, but it may not need the file upload capability
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter @johullrich

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3481 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!