cbcvebase.
CVE-2009-2265
published 2009-07-05

CVE-2009-2265: Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via…

PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.86%
99.7th percentile
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.

Affected

24 ranges
VendorProductVersion rangeFixed in
fckeditorfckeditor<= 2.6.4
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor
fckeditorfckeditor

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00
path/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm
path/userfiles/file/
patheditor/filemanager/connectors/
commandCommand=FileUpload&Type=File&CurrentFolder=/<payload>.jsp%00
filename*.jsp (uploaded via null-byte truncation of .txt extension)
port8500
  • Detect HTTP POST requests to the FCKeditor upload connector path containing a null-byte (%00) in the CurrentFolder parameter, which is the directory traversal trigger used to place a JSP webshell.
  • Monitor for newly created .jsp files under /userfiles/file/ on ColdFusion servers, as the exploit drops the webshell there and then GETs it to trigger execution.
  • Alert on multipart/form-data POST requests where the uploaded filename ends in .txt but the CurrentFolder query parameter contains a .jsp path with a null byte (%00), indicating null-byte extension smuggling.
  • Look for HTTP responses containing 'OnUploadCompleted' from the FCKeditor upload connector, which confirms a successful file upload exploitation attempt.
  • The exploit uses msfvenom to generate a java/jsp_shell_reverse_tcp payload; monitor for outbound reverse TCP connections from the ColdFusion process after a POST to the FCKeditor upload path.
  • ·The vulnerable upload endpoint is only reachable if the FCKeditor filemanager directory is present and accessible. MoinMoin deployments were found not to invoke the filemanager, and removing the editor/filemanager/ directory entirely mitigates the vulnerability without patching.
  • ·Horde's embedded FCKeditor is not affected because it does not include the editor/filemanager/ directory and supporting files.
  • ·The Metasploit module targets ColdFusion 8.0.1 on Windows and defaults to port 80; the Python PoC targets port 8500 (default ColdFusion standalone HTTP port). Adjust detection rules accordingly for the environment.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.