FCKEditor Upload Exploit

glFusion v1.0.0 and v1.0.1 are vulnerable to unsolicited file upload via the FCKEditor.  A malicious user could upload files to the public_html/images/library/ directory of your web server using this hole.  Fortunately, the file types are filtered by the whitelist in FCKeditor so only media type files can be uploaded. This means no PHP or JavaScript files could be uploaded.  Regardless, you should update the upload.php file shipped with glFusion with the latest patched version to prevent any unsolicited uploads.

A fix is published with the latest glFusion release.  To manually patch upload.php, make the following modification: edit public_html/fckeditor/editor/filemanager/connectors/php/upload.php, at the beginning of the upload.php file, after the copyright notice but before the first require(...), add this piece of code:

if (strpos ($_SERVER['PHP_SELF'], 'upload.php') !== false)
    die ('This file can not be used on its own.');

Save the file and you are done.


by Mark

Mark is the main developer on glFusion. When not doing his real job and playing with his family, he really enjoys working on glFusion and the collaboration with the glFusion community.

Share It!