Scans for Open File Uploads into CKEditor
We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found.
Here are some sample reports:
Full sample POST request:
GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
HOST: --removed--
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)
Some sample Apache logs:
HEAD /FCKeditor/editor/filemanager/upload/test.html HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /admin/FCKeditor/editor/filemanager/upload/test.html HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /FCKeditor/editor/filemanager/upload/test.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter @johullrich
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments