FCKeditor arbitrary file upload
Description
FCKeditor, a widely-used web-based HTML editor, contains an insecure file upload mechanism that allows unauthenticated remote attackers to upload arbitrary files to the web server. The vulnerability exists in FCKeditor's file management functionality, which fails to properly validate file types and restrict upload permissions. Attackers can exploit this weakness to upload malicious executable files (such as web shells or scripts) to the server without authentication. During testing, Invicti successfully uploaded a test file named Acunetix_WVS_File_Upload_test.txt to verify the presence of this vulnerability.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade FCKeditor: Update to the latest version of CKEditor (the successor to FCKeditor), as FCKeditor is no longer maintained and contains multiple security vulnerabilities.
2. Disable File Upload Functionality: If file upload capabilities are not required, completely disable the file upload and file browser features by removing or restricting access to the file manager connector scripts (typically located in /fckeditor/editor/filemanager/connectors/).
3. Implement Access Controls: If file upload functionality is necessary, implement strong authentication and authorization checks before allowing any file operations. Restrict access to the file upload functionality to authenticated and authorized users only.
4. Validate File Uploads: Implement strict server-side validation including: whitelist-based file type checking, file extension verification, MIME type validation, and file content inspection to prevent upload of executable files.
5. Apply Web Server Restrictions: Configure the web server to prevent execution of scripts in upload directories and store uploaded files outside the web root when possible.