Scans for Open File Uploads into CKEditor
Last Updated: 2013-08-02 14:36:03 UTC
by Johannes Ullrich (Version: 1)
We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found.
Here are some sample reports:
Full sample POST request:
GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)
Some sample Apache logs:
HEAD /FCKeditor/editor/filemanager/upload/test.html HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /admin/FCKeditor/editor/filemanager/upload/test.html HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /FCKeditor/editor/filemanager/upload/test.html
Johannes B. Ullrich, Ph.D.
SANS Technology Institute