FCKeditor.Java Connector Servlet 'CurrentFolder' Infinite Loop DoS

This script is Copyright (C) 2009-2011 Tenable Network Security, Inc.

Synopsis :

A web application running on the remote host has a denial of service

Description :

The remote web server is hosting a web application that uses
FCKeditor.Java, which is used to run FCKeditor in a Java environment.

Input to the 'CurrentFolder' parameter of the connector servlet is
not sanitized properly. It is possible to create a specially crafted
request that could put the web server into an infinite loop. A
remote attacker could use this to create a denial of service.

See also :


Solution :

Upgrade to FCKeditor.Java version 2.4.2 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.1
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 39875 (fckeditor_java_currentfolder_dos.nasl)

Bugtraq ID: 35709

CVE ID: CVE-2009-4875