Web Wiz Rich Text Editor (RTE) is a free to download WYSIWYG HTML RTE that replaces standard text areas with an advanced Word-style HTML area for users and it was on May 10, 2011 when Web Wiz (Hosting Web Applications Development Company behind Web Wiz Rich Text Editor and Web Wiz Forums) released an update about their web app Rich Text Editor because of a critical security vulnerability that allows anyone upload files. Thus, the vulnerable page allows an attacker to upload ASP Backdoor Shells and HTML files under the /my_documents/my_files Folder.
But sad to say, there are still a lot of websites are still vulnerable nowadays that remains unpatched. Any skiddie could use the ‘inurl:RTE_popup_file_atch.asp’ or ‘inurl:RTE_popup_adv_image.asp’ dorks to find vulnerable websites they can play or attack. Here is a screenshot of the vulnerable page:
Fixing the Exploit