PT-2006-1714 · Ckeditor · Ckeditor

Blackhawk

Published

2006-02-13

Updated

2017-10-11

CVE-2006-0658

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions FCKeditor versions 2.0 through 2.2

Description The issue allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt. This is due to an incomplete blacklist vulnerability in the connector.php file.

Recommendations For FCKeditor versions 2.0 through 2.2, consider updating the Config[DeniedExtensions][File] to include additional file extensions that could be used to execute arbitrary scripts, or restrict file uploads to prevent exploitation until a proper fix is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-0658

Affected Products

Ckeditor

PT-2006-1714 · Ckeditor · Ckeditor

CVE-2006-0658

Related Identifiers

Affected Products

References · 8