CVE-2009-2265
published 2009-07-05CVE-2009-2265: Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via…
PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.86%
99.7th percentile
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fckeditor | fckeditor | <= 2.6.4 | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
| fckeditor | fckeditor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00↗
- →Detect HTTP POST requests to the FCKeditor upload connector path containing a null-byte (%00) in the CurrentFolder parameter, which is the directory traversal trigger used to place a JSP webshell. ↗
- →Monitor for newly created .jsp files under /userfiles/file/ on ColdFusion servers, as the exploit drops the webshell there and then GETs it to trigger execution. ↗
- →Alert on multipart/form-data POST requests where the uploaded filename ends in .txt but the CurrentFolder query parameter contains a .jsp path with a null byte (%00), indicating null-byte extension smuggling. ↗
- →Look for HTTP responses containing 'OnUploadCompleted' from the FCKeditor upload connector, which confirms a successful file upload exploitation attempt. ↗
- →The exploit uses msfvenom to generate a java/jsp_shell_reverse_tcp payload; monitor for outbound reverse TCP connections from the ColdFusion process after a POST to the FCKeditor upload path. ↗
- ·The vulnerable upload endpoint is only reachable if the FCKeditor filemanager directory is present and accessible. MoinMoin deployments were found not to invoke the filemanager, and removing the editor/filemanager/ directory entirely mitigates the vulnerability without patching. ↗
- ·Horde's embedded FCKeditor is not affected because it does not include the editor/filemanager/ directory and supporting files. ↗
- ·The Metasploit module targets ColdFusion 8.0.1 on Windows and defaults to port 80; the Python PoC targets port 8500 (default ColdFusion standalone HTTP port). Adjust detection rules accordingly for the environment. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
moin: embedded fckeditor multiple directory traversal vulns
vendor_redhat·2009-07-03·CVSS 7.5
CVE-2009-2265 [HIGH] moin: embedded fckeditor multiple directory traversal vulns
moin: embedded fckeditor multiple directory traversal vulns
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
GHSA
GHSA-4849-cfqq-r8pq: Multiple directory traversal vulnerabilities in FCKeditor before 2
ghsa_unreviewed·2022-05-02
CVE-2009-2265 [HIGH] CWE-22 GHSA-4849-cfqq-r8pq: Multiple directory traversal vulnerabilities in FCKeditor before 2
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
VulnCheck
fckeditor fckeditor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2009·CVSS 7.5
CVE-2009-2265 [HIGH] fckeditor fckeditor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
fckeditor fckeditor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
Affected: fckeditor fckeditor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2009-2265; https://www.cve.org/CVERecord?id=CVE-2009-2265
Exploit PoC: https
No detection rules found.
Exploit-DB
Adobe ColdFusion 8 - Remote Command Execution (RCE)
exploitdb·2021-06-24·CVSS 7.5
CVE-2009-2265 [HIGH] Adobe ColdFusion 8 - Remote Command Execution (RCE)
Adobe ColdFusion 8 - Remote Command Execution (RCE)
---
# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE)
# Google Dork: intext:"adobe coldfusion 8"
# Date: 24/06/2021
# Exploit Author: Pergyz
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
# Version: 8
# Tested on: Microsoft Windows Server 2008 R2 Standard
# CVE : CVE-2009-2265
#!/usr/bin/python3
from multiprocessing import Process
import io
import mimetypes
import os
import urllib.request
import uuid
class MultiPartForm:
def __init__(self):
self.files = []
self.boundary = uuid.uuid4().hex.encode('utf-8')
return
def get_content_type(self):
return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))
def add_file(self, fieldname, filename, fileHandle, mimetype=None)
Exploit-DB
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)
exploitdb·2010-11-24
CVE-2009-2265 ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)
---
##
# $Id: coldfusion_fckeditor.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',
'Description' => %q{
This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload
and Execute vulnerability.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11127 $',
'Platform' => 'win',
'Privileged' => true,
'References' =>
[
[ 'CVE', '2009-2265' ],
[
Metasploit
ColdFusion 8.0.1 Arbitrary File Upload and Execute
metasploit
ColdFusion 8.0.1 Arbitrary File Upload and Execute
ColdFusion 8.0.1 Arbitrary File Upload and Execute
This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.
http://isc.sans.org/diary.html?storyid=6724http://mail.zope.org/pipermail/zope-dev/2009-July/037195.htmlhttp://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.htmlhttp://secunia.com/advisories/35833http://secunia.com/advisories/35909http://sourceforge.net/project/shownotes.php?release_id=695430http://www.debian.org/security/2009/dsa-1836http://www.ocert.org/advisories/ocert-2009-007.htmlhttp://www.securityfocus.com/archive/1/504721/100/0/threadedhttp://www.securitytracker.com/id?1022513http://www.vupen.com/english/advisories/2009/1813http://www.vupen.com/english/advisories/2009/1825https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.htmlhttp://isc.sans.org/diary.html?storyid=6724http://mail.zope.org/pipermail/zope-dev/2009-July/037195.htmlhttp://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.htmlhttp://secunia.com/advisories/35833http://secunia.com/advisories/35909http://sourceforge.net/project/shownotes.php?release_id=695430http://www.debian.org/security/2009/dsa-1836http://www.ocert.org/advisories/ocert-2009-007.htmlhttp://www.securityfocus.com/archive/1/504721/100/0/threadedhttp://www.securitytracker.com/id?1022513http://www.vupen.com/english/advisories/2009/1813http://www.vupen.com/english/advisories/2009/1825https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.html
2009-07-05
Published
Exploited in the wild