FCKeditor arbitrary file upload

Description
  • Multiple vendor applications utilize FCKeditor. FCKeditor contains functionality to handle file uploads and file management. A remote attacker could use this functionality to upload malicious executable files on the system. To test file upload capabilities, Acunetix created a file named <strong><span class="bb-dark">Acunetix_WVS_File_Upload_test.txt</span></strong> on the server.
Remediation
  • It is recommended to disable the file upload functionality in FCKeditor (if not required).
References