FCKeditor connector.php任意文件上传漏洞

http://www.sebug.net/exploit/5799/

FCKeditor是一款开放源码的HTML文本编辑器。

FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞：

    147.    function FileUpload( $resourceType, $currentFolder )
    148.    {
    149.        $sErrorNumber = '0' ;
    150.        $sFileName = '' ;
    151.   
    152.        if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
    153.        {
    154.            $oFile = $_FILES['NewFile'] ;
    155.   
    156.            // Map the virtual path to the local server path.
    157.            $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
    158.   
    159.            // Get the uploaded file name.
    160.            $sFileName = $oFile['name'] ;
    161.            $sOriginalFileName = $sFileName ;
    162.            // Security fix by truzone 01-15-2006
    163.            //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
    164.            //$sExtension = strtolower( $sExtension ) ;
    165.   
    166.            if(extension_loaded("mime_magic")){
    167.            $sExtension = mime_content_type($oFile['tmp_name']);
    168.            }else{
    169.            $sExtension = $oFile['type'];
    170.            }
    171.            // en of security fix by truzone 01-15-2006
    172.            global $Config ;
    173.   
    174.            $arAllowed    = $Config['AllowedExtensions'][$resourceType] ;
    175.            $arDenied    = $Config['DeniedExtensions'][$resourceType] ;

由于166-170行仅检查了MIME类型的上传请求，因此远程攻击者可以通过pht扩展名向Web服务器上传恶意脚本。