Bugtraq mailing list archives

runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package

From: rgod () autistici org
Date: 9 Feb 2006 23:05:08 -0000

--- RunCMS <= 1.3a2 remote code execution ------------------------------------

software:
site: http://www.runcms.org/public/modules/news/
description: "RUNCMS (E-Xoops) is a extensible content management system based
              on the v1 core of Xoops"
------------------------------------------------------------------------------

vulnerability: a user can upload a .php3 or .php5 file through the integrated 
FCKEditor package (calling directly the connector.php script) and execute 
arbitrary code & operating system commands on target machine

proof of concept exploit here:

i) http://retrogod.altervista.org/runcms_13a_xpl.html
(also this exploits a not documented arbitrary remote inclusion issue in runcms <=1.2) 


ii) http://retrogod.altervista.org/fckeditor_22_xpl.html
(this a generic exploit for FCKEditor 2.0 <= 2.2)

------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici org
------------------------------------------------------------------------------

Current thread:

runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package rgod (Feb 10)