PHP and Website Security

A Lot Of Websites Still Vulnerable to Rich Text Editor (RTE) Exploit

Web Wiz Rich Text Editor

Web Wiz Rich Text Editor (RTE) is a free to download WYSIWYG HTML RTE  that replaces standard text areas with an advanced Word-style HTML area for users and it was on May 10, 2011 when Web Wiz (Hosting Web Applications Development Company behind Web Wiz Rich Text Editor and Web Wiz Forums) released an update about their web app Rich Text Editor because of a critical security vulnerability that allows anyone upload files. Thus, the vulnerable page allows an attacker to upload ASP Backdoor Shells and HTML files under the /my_documents/my_files Folder.

But sad to say, there are still a lot of websites are still vulnerable nowadays that remains unpatched. Any skiddie could use the ‘inurl:RTE_popup_file_atch.asp’ or ‘inurl:RTE_popup_adv_image.asp’ dorks to find vulnerable websites they can play or attack. Here is a screenshot of the vulnerable page:

RTE Exploit

Fixing the Exploit

Download or upgrade to the latest Web Wiz Rich Text Editor (RTE) 4.08 from this link for free. Don’t forget to visit their blog for more updates if you are one of their customers.

Leave a Reply