- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass - Credit goes to: Mostafa Azizi, Soroush Dalili - Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/ - Description: There is no validation on the extensions when FCKEditor 2.6.8 ASP version is dealing with the duplicate files. As a result, it is possible to bypass the protection and upload a file with any extension. - Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/ - Solution: Please check the provided reference or the vendor website. - PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720 " Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass: In “config.asp”, wherever you have: ConfigAllowedExtensions.Add “File”,”Extensions Here” Change it to: ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”Брой прочитания на тази страница: 1323
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass