Welcome to Geeklog Wednesday, June 19 2013 @ 02:03 AM EDT
While yesterday's exploit only affected incorrect Geeklog installs, this new one is more serious:
An exploit has been posted for the "mcpuk" file manager that we're shipping with FCKeditor in Geeklog 1.4.0. The exploit allows an attacker to upload and execute arbitrary code.
While FCKeditor is not enabled by default, this exploit works even when FCKeditor is disabled, as it calls the vulnerable file directly. So it is not enough to disable FCKeditor in config.php.
If you don't plan to use FCKeditor on your site, you can simply remove the entire 'fckeditor' subdirectory (from Geeklog's public_html). Otherwise, you will have to remove the file manager as explained below ...
To remove the file manager, go to the 'fckeditor/editor' directory (again, in Geeklog's 'public_html' directory) and remove the entire 'filemanager' subdirectory. Then, you should disable the file manager in the FCKeditor configuration file, 'fckconfig.js'. It contains the following three options, all of which should be set to "false" to disable the file manager:
FCKConfig.LinkBrowser = false; (...) FCKConfig.ImageBrowser = false; (...) FCKConfig.FlashBrowser = false;
Next, you should check if anyone managed to upload malicious code to your site. Check the four subdirectories below 'images/library' (named 'File', 'Flash', 'Image', and 'Media') for suspicous files, i.e. ones that you didn't upload yourself. The published exploit uses files whos names contains 'suntzu' - remove those.
After these changes, FCKeditor should continue to work, but you won't be able to upload files with it. If you'd rather have the upload capabilities back, you could upgrade to the recently released FCKeditor 2.3 (instructions can be found in the forum).
There have been a couple of new Geeklog exploits released into the wild and in the hands of script kiddies everywhere! We are already seeing hundreds of attempts each day in the logs here. Please see this article at the main Geeklog Site for more info. [read more]