FCKeditor Vulnerability

fckeditor

fckeditor For those of you using FCKeditor, make sure you have things locked down!  The section of the editor that lets you upload files may be exposed and not secure.  What does this mean?

  • You can use the page to upload a malicious script (asp, aspx, php), such as a root kit
  • You can use the root kit to gain local access to the server box and destroy things
  • You can upload images and files to be used for a Warez storage site

It is easy to find this file, all you have to do is type in the path to the upload page in Google and you will find a ton of websites using the editor.

fckeditor/editor/filemanager/browser/default/browser.html

If your site is getting indexed, make sure you update your robots.txt file to include a disallow for indexing for that path. 

Also, if you are using local NT username and passwords, you must instill a strict password policy.  You may want to even place directory level security if you are using IIS.  Using simple usernames and passwords will only get you into more trouble!

1 thought on “FCKeditor Vulnerability”

Leave a Reply

Your email address will not be published. Required fields are marked *