Detections
Analytics

Cuyahoga FCKEditor Misconfiguration Unrestricted File Upload

medium Nessus Plugin ID 24003

Language:

Synopsis

The remote web server contains a .NET application that is affected by a security bypass vulnerability.

Description

The remote host is running Cuyahoga, an open source .NET website framework.

The installation of Cuyahoga fails to require authorization to access the FCKEditor component included with it. An unauthenticated, remote attacker may be able to leverage this flaw to view and upload files with FCKEditor.

Solution

Either retrieve the updated 'Web.config' file and place it in the 'Support/FCKeditor/editor/filemanager' directory of the affected site or upgrade to Cuyahoga 1.0.1 or later.

See Also

https://www.cuyahoga-project.org/10/section.aspx/61

Plugin Details

Severity: Medium

ID: 24003

File Name: cuyahoga_fckeditor_security_bypass.nasl

Version: 1.19

Type: remote

Family: CGI abuses

Published: 1/10/2007

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:cuyahoga:cuyahoga

Required KB Items: www/ASP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/5/2007

Reference Information

CVE: CVE-2007-0147

BID: 21927