Fckeditor 2.4.2 php任意上传文件漏洞修复

1、漏洞描述
fckeditor/editor/filemanager/upload/php/ 目录下
config.php 文件
<?php
global $Config ;// SECURITY: You must explicitelly enable this "uploader".
$Config['Enabled'] = false ;// Set if the file type must be considere in the target path.
// Ex: /userfiles/image/ or /userfiles/file/
$Config['UseFileType'] = false ;// Path to uploaded files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;// Fill the following val it you prefer to specify the absolute path for the
// user files directory. Usefull if you are using a virt l directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;// D to security isss with Apache modules, it is reccomended to leave the
// following setting enabled.
$Config['ForceSingleExtension'] = tr ;$Config['AllowedExtensions']['File'] = array() ;
$Config['DeniedExtensions']['File']   = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image'] = array() ;$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
$Config['DeniedExtensions']['Flash'] = array() ;
?>

问题主要是出在config.php文件中未对Media目录作白名单和黑名单的限制,大概是写漏了。
因为在fckeditor/editor/filemanager/browser/default/connectors/php目录中的config.php文件对Media是有限制的。
2、漏洞利用
自己写段上传脚本:
<form id="frmUpload" enctype="multipart/form-data" action="http://phpff.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
现在就可以上传任意文件到服务器,提交后查看源码就能看到上传文件的位置。
3、漏洞修补
最好用新版,或者拷贝以下代码到config.php最后。
$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
$Config['DeniedExtensions']['Media'] = array() ;

参考资料
http://tiantianhuoshan.blog.163.com/blog/static/9080261920105102014844/

FCKEditor 中自定义中文字体和中文字号

fckconfig.js 中找到如下两行:
FCKConfig.FontNames     = 'Arial;Comic Sans MS;Courier New;Tahoma;Times New Roman;Verdana' ;
FCKConfig.FontSizes     = 'smaller;larger;xx-small;x-small;small;medium;large;x-large;xx-large' ;

将其注释并添加如下代码(字号选择其中一种方式即可):
// 中文字体:
FCKConfig.FontNames = '微软雅黑;宋体;新宋体;黑体;隶书;幼圆;楷体_GB2312;仿宋_GB2312;方正舒体;方正姚体;华文隶书;华文新魏;华文行楷;sans-serif;Arial;Comic Sans MS;Courier New;Tahoma;Times New Roman;Verdana' ;
// 按文字像素大小选择:
FCKConfig.FontSizes = '9px;10px;12px;14px;16px;18px;20px;22px;24px;36px' ;
// 按中文字号选择(根据像素单位换算):
FCKConfig.FontSizes = '56px/初号;48px/小初;34px/一号;32px/小一;29px/二号;24px/小二;21px/三号;20px/小三;18px/四号;16px/小四;14px/五号;12px/小五;10px/六号;8px/小六' ;
// 按中文字号选择(根据磅单位换算):
FCKConfig.FontSizes = '42pt/初号;36pt/小初;26pt/一号;24pt/小一;22pt/二号;18pt/小二;16pt/三号;15pt/小三;14pt/四号;12pt/小四;10.5pt/五号;9pt/小五;7.5pt/六号;6.5pt/小六' ;

解决FCKeditor中文图片名称上传乱码的问题

FCKeditor中文图片名称上传乱码的主要原因是服务器不支持中文导致的,解决这个问题最彻底的方法是上传文件的时候把文件名改成非中文的

具体方法如下
在这个文件中fckeditor\editor\filemanager\connectors\php\commands.php
找到
$sOriginalFileName = $sFileName ;

// Get the extension.
$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
$sExtension = strtolower( $sExtension ) ;

在下面加一句
$sFileName = date("YmdHis").rand(100, 200).".".$sExtension;  

这样就把把中文名的图片用当天的日期加上一个随机数作为名称啦