WAF 388000

From Atomicorp Wiki
Revision as of 13:12, 24 July 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

388000

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules - Virtual Patch: Possible Attempt to Access vulnerable FCKeditor file upload connector (Disable if you have configured this connector to require authentication)

Description

This rule detects the use of FCKEditor file upload connector. This tool has the potential to be used in an unauthenticated manner, making it possible for attackers to upload files to your system without your permissions. A number of web applications use this connector, and configure it an unauthenticated manner.

This rules work by detecting the use of this connector.

False Positives

A false positive can only occur when an the application is used in an authenticated manner. If you know that this connector is properly protected, then disable this rule. However, if the application is not properly protected, disabling this rule will make it possible for anyone to upload files to the system. This method is well known and is used regularly to compromise hosts.

Tuning Guidance

If you know that this behavior is acceptable for your application, please log into your ASL gui, click on Configuration, then Rules Manager. And disable this rule only for the virtual hosts that use it. We do not recommend you disable this rule globally.

If you are not using ASL, then you will have to manually configure your modsecurity rules for your needs. Please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules

Knowledge Base Articles

None.

Outside References

None.

Personal tools