Welcome to Geeklog Tuesday, December 10 2013 @ 09:57 AM EST
An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).
Here's what we know:
The advisory recommends disabling the file browser for now. To do this in Geeklog, open the file
(from your public_html directory) and find the line that reads
$Config['Enabled'] = true ;
Change that to
= false; and save the change. You will still see the "Browse" buttons in FCKeditor, but they won't let you browse your server's directories any more.
If you don't use FCKeditor, you can simply remove the entire fckeditor directory (again, in public_html).
It's very frustrating for us not to be able to provide you with more information. The above is a summary of the situation as we understand it, to the best of our knowledge. Once the update for FCKeditor is out, things will (hopefully) become clearer and we can provide you with more and better advice on how to secure your site.
We're also delaying Geeklog 1.6.0rc2 until the FCKeditor update is available.
[...] should also be the last stop before the release of the final 1.6.0. This releases includes fixes for the FCKeditor security issue, some more fixes for the migration option of the install script, a fix for searches by date, and some more [...] [read more]
[...] (7)Monday 27-Jul PostgreSQL beta support! (4)Sunday 19-Jul Geeklog 1.6.0 (1) Geeklog 1.6.0rc2 (3) FCKeditor input sanitization errors (3) Welcome to GeeklogSunday, August 30 2009 @ 01:06 PM EDT Geeklog 1.6.0sr2 Sunday, August 30 2009 @ 01:05 [...] [read more]