Intrusion Prevention



Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.

Affected Products

RunCMS RunCMS 1.2
RunCMS RunCMS 1.1 A
RunCMS RunCMS 1.1
RunCMS RunCMS 1.3.a2
FCKeditor FCKeditor 2.0 RC3
FCKeditor FCKeditor 2.0 RC2
FCKeditor FCKeditor 2.2


Arbitrary code execution.

Recommended Actions

Upgrade to FCKeditor FCKeditor 2.3 beta or higher.

CVE References