FCKeditor input sanitization errors

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).

Here's what we know:

• The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
• There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.

The advisory recommends disabling the file browser for now. To do this in Geeklog, open the file

fckeditor/editor/filemanager/connectors/php/config.php

(from your public_html directory) and find the line that reads

$Config['Enabled'] = true ;

Change that to = false; and save the change. You will still see the "Browse" buttons in FCKeditor, but they won't let you browse your server's directories any more.

If you don't use FCKeditor, you can simply remove the entire fckeditor directory (again, in public_html).

It's very frustrating for us not to be able to provide you with more information. The above is a summary of the situation as we understand it, to the best of our knowledge. Once the update for FCKeditor is out, things will (hopefully) become clearer and we can provide you with more and better advice on how to secure your site.

We're also delaying Geeklog 1.6.0rc2 until the FCKeditor update is available.