The secure CMS.
Resources
Topics
- Home
- Development (317)
- Geeklog (209)
- Plugins (111)
- Themes (2)
- News (387)
- Announcements (248)
- Geeklog.net (31)
- Security (76)
- Spam (11)
- Summer of Code (27)
User Functions
Events
What's New
Stories
1 new Stories in the last 2 weeksComments last 2 weeks
No new commentsTrackbacks last 2 weeks
No new trackback commentsLinks last 2 weeks
No recent new linksNEW FILES last 14 days
No new filesWelcome to Geeklog Friday, May 24 2013 @ 10:59 AM EDT
FCKeditor input sanitization errors
- Sunday, July 05 2009 @ 07:20 AM EDT
-
- Contributed by:
- Dirk
-
- Views:
- 6,498
An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).
Here's what we know:
- The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
- There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.
The advisory recommends disabling the file browser for now. To do this in Geeklog, open the file
fckeditor/editor/filemanager/connectors/php/config.php
(from your public_html directory) and find the line that reads
$Config['Enabled'] = true ;
Change that to = false; and save the change. You will still see the "Browse" buttons in FCKeditor, but they won't let you browse your server's directories any more.
If you don't use FCKeditor, you can simply remove the entire fckeditor directory (again, in public_html).
It's very frustrating for us not to be able to provide you with more information. The above is a summary of the situation as we understand it, to the best of our knowledge. Once the update for FCKeditor is out, things will (hopefully) become clearer and we can provide you with more and better advice on how to secure your site.
We're also delaying Geeklog 1.6.0rc2 until the FCKeditor update is available.
Trackback
- Trackback URL for this entry:
- http://www.geeklog.net/trackback.php/fckeditor-input-sanitization
Here's what others have to say about 'FCKeditor input sanitization errors':
- Geeklog 1.6.0rc2 - Geeklog
- Tracked on Sunday, July 12 2009 @ 12:26 PM EDT
[...] should also be the last stop before the release of the final 1.6.0. This releases includes fixes for the FCKeditor security issue, some more fixes for the migration option of the install script, a fix for searches by date, and some more [...] [read more]
- Geeklog 1.6.0sr2 - Geeklog
- Tracked on Sunday, August 30 2009 @ 01:06 PM EDT
[...] (7)Monday 27-Jul PostgreSQL beta support! (4)Sunday 19-Jul Geeklog 1.6.0 (1) Geeklog 1.6.0rc2 (3) FCKeditor input sanitization errors (3) Welcome to GeeklogSunday, August 30 2009 @ 01:06 PM EDT Geeklog 1.6.0sr2 Sunday, August 30 2009 @ 01:05 [...] [read more]
The following comments are owned by whomever posted them. This site is not responsible for what they say.
A drop-in replacement for earlier FCKeditor versions, as shipped with all Geeklog versions prior to 1.6.0rc2, is now available for download.
This is FCKeditor 2.6.4.1 bundled to work with Geeklog and should work with Geeklog 1.5.x (as well as Geeklog 1.6.0 prior to rc2). It also seems to work with Geeklog 1.4.1. Other versions have not been tested.
Installation instructions are included. Summary: Replace your fckeditor directory with the one from this tarball.