fckeditor php上传利用漏洞,Fckeditor 2.4.2 php任意上传文件漏洞

fckeditor/editor/filemanager/upload/php/upload.php

/*

* FCKeditor - The text editor for Internet - http://www.fckeditor.net

* Copyright (C) 2003-2007 Frederico Caldeira Knabben

*

* == BEGIN LICENSE ==

*

* Licensed under the terms of any of the following licenses at your

* choice:

*

* - GNU General Public License Version 2 or later (the "GPL")

*    http://www.gnu.org/licenses/gpl.html

*

* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")

*    http://www.gnu.org/licenses/lgpl.html

*

* - Mozilla Public License Version 1.1 or later (the "MPL")

*    http://www.mozilla.org/MPL/MPL-1.1.html

*

* == END LICENSE ==

*

* This is the "File Uploader" for PHP.

*/

require('config.php') ;

require('util.php') ;

// This is the function that sends the results of the uploading process.

function SendResults( $errorNumber, $fileUrl = '', $fileName = '', $customMsg = '' )

{

echo '

echo

'window.parent.OnUploadCompleted(' . $errorNumber . ',"' . str_replace(

'"', '\\"', $fileUrl ) . '","' . str_replace( '"', '\\"', $fileName ) .

'", "' . str_replace( '"', '\\"', $customMsg ) . '") ;' ;

echo '' ;

exit ;

}

// Check if this uploader has been enabled.

if ( !$Config['Enabled'] )

SendResults( '1', '', '', 'This file uploader is disabled. Please check the "editor/filemanager/upload/php/config.php" file' ) ;

// Check if the file has been correctly uploaded.

if ( !isset( $_FILES['NewFile'] ) || is_null( $_FILES['NewFile']['tmp_name'] ) || $_FILES['NewFile']['name'] == '' )

SendResults( '202' ) ;

// Get the posted file.

$oFile = $_FILES['NewFile'] ;

// Get the uploaded file name extension.

$sFileName = $oFile['name'] ;

// Replace dots in the name with underscores (only one dot can be there... security issue).

if ( $Config['ForceSingleExtension'] )

$sFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sFileName ) ;

$sOriginalFileName = $sFileName ;

// Get the extension.

$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;

$sExtension = strtolower( $sExtension ) ;

// The the file type (from the QueryString, by default 'File').

$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;

// Check if it is an allowed type.

if ( !in_array( $sType, array('File','Image','Flash','Media') ) )

SendResults( 1, '', '', 'Invalid type specified' ) ;

// Get the allowed and denied extensions arrays.

$arAllowed = $Config['AllowedExtensions'][$sType] ;

$arDenied = $Config['DeniedExtensions'][$sType] ;

// Check if it is an allowed extension.

if ( ( count($arAllowed)

> 0 && !in_array( $sExtension, $arAllowed ) ) || (

count($arDenied) > 0 && in_array( $sExtension, $arDenied ) )

)

SendResults( '202' ) ;

$sErrorNumber = '0' ;

$sFileUrl   = '' ;

// Initializes the counter used to rename the file, if another one with the same name already exists.

$iCounter = 0 ;

// Get the target directory.

if ( isset( $Config['UserFilesAbsolutePath'] ) && strlen( $Config['UserFilesAbsolutePath'] ) > 0 )

$sServerDir = $Config['UserFilesAbsolutePath'] ;

else

$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;

if ( $Config['UseFileType'] )

$sServerDir .= $sType . '/' ;

while ( true )

{

// Compose the file path.

$sFilePath = $sServerDir . $sFileName ;

// If a file with that name already exists.

if ( is_file( $sFilePath ) )

{

$iCounter++ ;

$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;

$sErrorNumber = '201' ;

}

else

{

move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;

if ( is_file( $sFilePath ) )

{

$oldumask = umask(0) ;

chmod( $sFilePath, 0777 ) ;

umask( $oldumask ) ;

}

if ( $Config['UseFileType'] )

$sFileUrl = $Config["UserFilesPath"] . $sType . '/' . $sFileName ;

else

$sFileUrl = $Config["UserFilesPath"] . $sFileName ;

break ;

}

}

SendResults( $sErrorNumber, $sFileUrl, $sFileName ) ;

?>

fckeditor/editor/filemanager/upload/php/config.php

/*

* FCKeditor - The text editor for Internet - http://www.fckeditor.net

* Copyright (C) 2003-2007 Frederico Caldeira Knabben

*

* == BEGIN LICENSE ==

*

* Licensed under the terms of any of the following licenses at your

* choice:

*

* - GNU General Public License Version 2 or later (the "GPL")

*    http://www.gnu.org/licenses/gpl.html

*

* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")

*    http://www.gnu.org/licenses/lgpl.html

*

* - Mozilla Public License Version 1.1 or later (the "MPL")

*    http://www.mozilla.org/MPL/MPL-1.1.html

*

* == END LICENSE ==

*

* Configuration file for the PHP File Uploader.

*/

global $Config ;

// SECURITY: You must explicitelly enable this "uploader".

$Config['Enabled'] = false ;

// Set if the file type must be considere in the target path.

// Ex: /userfiles/p_w_picpath/ or /userfiles/file/

$Config['UseFileType'] = false ;

// Path to uploaded files relative to the document root.

$Config['UserFilesPath'] = '/userfiles/' ;

// Fill the following value it you prefer to specify the absolute path for the

// user files directory. Usefull if you are using a virtual directory, symbolic

// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.

// Attention: The above 'UserFilesPath' must point to the same directory.

$Config['UserFilesAbsolutePath'] = '' ;

// Due to security issues with Apache modules, it is reccomended to leave the

// following setting enabled.

$Config['ForceSingleExtension'] = true ;

$Config['AllowedExtensions']['File'] = array() ;

$Config['DeniedExtensions']['File']

=

array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis')

;

$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;

$Config['DeniedExtensions']['Image'] = array() ;

$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;

$Config['DeniedExtensions']['Flash'] = array() ;

?>