A quote from
http://www.dotnetmonster.com/Uwe/Forum. ... or-to-work
The current implementation of the file system connectors allow unautorized
access to the file system. I checked PHP, ASP. ASP.NET, and ColdFusion
implementations and all of them can be easily used to list the files in any
directory on the Website, create new directories, and upload files
including scripts that can be run remotely to do even more harm. The
problem is that the connectors do not validate any parameters as well as
they use the ServerPath URL parameter, which can point to any directory.
Tue, 05/31/2005 - 17:31
#1
RE: Serious security hole PHP, ASP, ASP.NET,
RE: Serious security hole PHP, ASP, ASP.NET, CF
RE: Serious security hole PHP, ASP, ASP.NET,
This main security hole was only present pre RC3 this should have been corrected, as per:
http://sourceforge.net/tracker/index.ph ... tid=543653
As Fred has said there may be ways around this but in general it isnt as bad as the original post makes out.
RE: Serious security hole PHP, ASP, ASP.NET,
RE: Serious security hole PHP, ASP, ASP.NET, CF
Normally, in a web site you give write privileges just to the upload directory so it would not be possible to upload anything outside there.
There are also some ways to force the connectors to ignore the QueryString path. Just configure the ASP or PHP connectors with their relative config file, or the ASP.Net connector with a Web.config fixed entry.
This is something that need more work. mcukstorm is working on the new File Browser that will be even more secure than the actual.
FredCK
Frederico Knabben
CKEditor Project Lead and CKSource Owner
--
Follow us on: Twitter | Facebook | Google+ | LinkedIn
RE: Serious security hole PHP, ASP, ASP.NET, CF
1. Many Web hosting companies do not allow users change settings of folders.
2. One can simply do not know or forget to change the security settings. The best way to kill this project is to create a bad publicity after hakers hack a few thousands sites that are using FCKeditor. This attack can be easily automated and it I believe it can take just a few hours to find all public accessiable sites that uses the control and infect them.
3. Read access to files will still be open. I did not try to create anything, but even on your Web site I can see all the files in any directory.
RE: Serious security hole PHP, ASP, ASP.NET, CF
Also do not forget that on many sites you need to have many upload directory, not just one. I defenetly recommend anyone who is using the control delete all the existing file connectors till the problem is fixed. Do not believe me? Just try these steps on your Web site:
1. Open http://www.fckeditor.net/FCKeditor/edit ... /test.html
2. Select connector (on the fckeditor it is PHP)
3. Type "/../../../" in the current folder filed
4. Click "Get Folders and Files"
5. Ok now we see all the files and folders in the root directory of the web site.
6. When we go next? Maybe it is time to try to create something?
I tried all the connectors except Perl and all of them has the same security hole.
Again this must be fixed on the level of the architecture and connectors, not on the level of just UI.
RE: Serious security hole PHP, ASP, ASP.NET, CF
Thanks,
FredCK
Frederico Knabben
CKEditor Project Lead and CKSource Owner
--
Follow us on: Twitter | Facebook | Google+ | LinkedIn
RE: Serious security hole PHP, ASP, ASP.NET, CF
RE: Serious security hole PHP, ASP, ASP.NET,
RE: Serious security hole PHP, ASP, ASP.NET,
Nope. It is not secure either. It fixes some of bugs but adds others that are even easier to crack. Here I've uploaded a hello world PHP page, it could something more serious.
http://mcpuk.net/fbxp/demo/data/resourc ... e/test.php
RE: Serious security hole PHP, ASP, ASP.NET,
RE: Serious security hole PHP, ASP, ASP.NET,
RE: Serious security hole PHP, ASP, ASP.NET, CF
Of course this applies to any technology applied.
RE: Serious security hole PHP, ASP, ASP.NET,
the UserFilesPath is not set in the config.php or somewhere
else and globalled, if this is not set the connector then looks to
the ServerPath variable from the query string ( this is where
things could be abused ). Also if the user sets the UserFilesPath in the config the connector is still vunerable to
users entering ../ into the path passed from the file browser.
These are the only two possiblities i have found from looking
through the default connector code and these will only let you view files (dont get any ideas, viewing source of server side scipts wont work) on the server unless the permissions are incorrectly setup.
However there is presently a solution to this, there is an alternative connector in the mpcuk implementation (which
was included in the current release) is not suspetable to either
of these, as the site administrator is required to enter the user
files path in the php config, and checks are made to prevent ../
to walk up the directory tree.
RE: Serious security hole PHP, ASP, ASP.NET,
As a solution could be saving the upload directory to a session variable and passing the variable name to the connector. However this does not work in the current implementation because the file browser dialog creates another session when it requests data from the connector.
RE: Serious security hole PHP, ASP, ASP.NET,
Session variables are not an option, as IE's implementation of the XML HTTP Request object does not pass a pre existing session id in the headers. Cookies are an option or passing session id's. The mcpuk implementation also includes 'authentication' which allows for each user/post/etc to have their own area, all under one base directory i.e. /UserFiles/user99/Files or /UserFiles/user93/Files. This is not as flexible as it needs to be, but such sacrifices are required if you want a secure solution.
RE: Serious security hole PHP, ASP, ASP.NET,
<appSettings>
<add key="FCKeditor:BasePath" value="/scripts/FCKeditor/" />
<add key="FCKeditor:UserFilesPath" value="/UserFiles/" />
</appSettings>
In this way you will force the "UserFilesPath".
FredCK
Frederico Knabben
CKEditor Project Lead and CKSource Owner
--
Follow us on: Twitter | Facebook | Google+ | LinkedIn
RE: Serious security hole PHP, ASP, ASP.NET,
As I told the session variables do not work in the current implementation. Cookies are not good too as they can grow too big if one actively uses the editor on different pages (in my case the paths are not just user specific or even session speciffic they are page specific).
RE: Serious security hole PHP, ASP, ASP.NET,
<!---
uncomment this next line to reset the client var path if necessary during testing
<cfset client.CurrFilePath=client.ImageFTPPath>
--->
<cfparam name="client.CurrFilePath" default="client.ImageFTPPath" type="string">
<cfparam name="url.Action" default="" type="string">
<cfscript>
/*
These next settings make this file standalone so it can be used in
any FCKEditor installation. Plug in your own values below.
*/
variables.FilePath=client.ImageFTPPath;
variables.FileURL=client.ImageURLPath;
variables.FileTypes=request.ImageFileList;
switch (url.Action)
{
// display a child folder's contents
case "1": {
// analyze the url variable and see if some clown has gotten the
// the bright idea to hack into the url and pass their own version.
// Penalty for any failure is to dump them into the allowed root
// (a more thorough response would be better, but is up to each
// individual developer).
// first, set the desired new path...
client.CurrFilePath=client.CurrFilePath & '\' & urldecode(url.FDR);
// the first test is for a simple "..\" string, which is a no-no
// anywhere in the string.
if (ListContains(client.CurrFilePath,'..\','/\')) {
client.CurrFilePath=variables.FilePath & '\';
}
// Now match up the drive and folders specified in the preset root path with
// the corresponding ones in the newly selected. If the root drive and
// folders aren't what they are supposed to be, someone got a hack past
// us.
variables.LoopCounter=1;
variables.pathTestFailure="N";
do {
variables.VerifiedItem=ListGetAt(variables.FilePath,variables.LoopCounter,'/\');
variables.PassedItem=ListGetAt(client.CurrFilePath,variables.LoopCounter,'/\');
if (compareNoCase(variables.VerifiedItem,variables.PassedItem)) {
variables.pathTestFailure="Y";
}
variables.LoopCounter=variables.LoopCounter+1;
} while (variables.LoopCounter LTE ListLen(variables.FilePath));
if (not CompareNoCase(variables.PathTestFailure,"Y")) {
client.CurrFilePath=variables.FilePath & '\';
}
break; }
// display the parent folder if and only if
// this is not the designated root folder
case "2": {
if (CompareNoCase(client.CurrFilePath,variables.FilePath)) {
variables.PathLen=ListLen(client.CurrFilePath);
i=1;
currDirTemp=Reverse(client.CurrFilePath);
upCount=1;
s=0;
for(i=1;i LTE upCount;i=i+1){
s=findoneof("\/",currDirTemp,1);
if(s EQ 1){
currDirTemp=Right(currDirTemp,val(Len(currDirTemp)-s));
s=find("\",currDirTemp,1);
currDirTemp=Right(currDirTemp,val(Len(currDirTemp)-s));
}else{
currDirTemp=Right(currDirTemp,val(Len(currDirTemp)-s));
}
}
client.CurrFilePath=reverse(replacenocase(currDirTemp,'/','\','ALL'));
// run the same drive/folder matching test as in Case 1
variables.LoopCounter=1;
variables.pathTestFailure="N";
do {
variables.VerifiedItem=ListGetAt(variables.FilePath,variables.LoopCounter,'/\');
variables.PassedItem=ListGetAt(client.CurrFilePath,variables.LoopCounter,'/\');
if (compareNoCase(variables.VerifiedItem,variables.PassedItem)) {
variables.pathTestFailure="Y";
}
variables.LoopCounter=variables.LoopCounter+1;
} while (variables.LoopCounter LTE ListLen(variables.FilePath));
if (not CompareNoCase(variables.PathTestFailure,"Y")) {
client.CurrFilePath=variables.FilePath & '\';
}
}
break; }
default: {
if (len(url.Action)) {
/*
This would be a good place to put in a security alert.
The Action parameter should default to a zero-length string.
If execution falls thru to here then ts not, and that means
probably that some clown is hacking the url to see what they
can come up with.
*/
}
break; }
} // end switch
</cfscript>
RE: Serious security hole PHP, ASP, ASP.NET,
By the way it is available from my web site as a ZIP file (and has been for some time) at http://mysecretbase.com/browse_new.zip. The original file has its indenting preserved which makes it a heck of a lot easier to read.
This is a pretty serious weakness, I might add.
RE: Serious security hole PHP, ASP, ASP.NET,
I forgot that my original version existed so that a navigable tree would be created. The snippet above doesn't include that portion of the code, which explains why you see url variables that you've never seen before.
Anyway it should be fairly easy to proof a ColdFusion template from this sort of thing.