Contributed by: Dirk Friday, June 30 2006 @ 07:15 am EDT
While yesterday's exploit[*1] only affected incorrect Geeklog installs, this new one is more serious:
An exploit has been posted for the "mcpuk" file manager that we're shipping with FCKeditor in Geeklog 1.4.0. The exploit allows an attacker to upload and execute arbitrary code.
While FCKeditor is not enabled by default, this exploit works even when FCKeditor is disabled, as it calls the vulnerable file directly. So it is not enough to disable FCKeditor in config.php.
If you don't plan to use FCKeditor on your site, you can simply remove the entire 'fckeditor' subdirectory (from Geeklog's public_html). Otherwise, you will have to remove the file manager as explained below ...
To remove the file manager, go to the 'fckeditor/editor' directory (again, in Geeklog's 'public_html' directory) and remove the entire 'filemanager' subdirectory. Then, you should disable the file manager in the FCKeditor configuration file, 'fckconfig.js'. It contains the following three options, all of which should be set to "false" to disable the file manager:
FCKConfig.LinkBrowser = false; (...) FCKConfig.ImageBrowser = false; (...) FCKConfig.FlashBrowser = false;
Next, you should check if anyone managed to upload malicious code to your site. Check the four subdirectories below 'images/library' (named 'File', 'Flash', 'Image', and 'Media') for suspicous files, i.e. ones that you didn't upload yourself. The published exploit uses files whos names contains 'suntzu' - remove those.
After these changes, FCKeditor should continue to work, but you won't be able to upload files with it. If you'd rather have the upload capabilities back, you could upgrade to the recently released FCKeditor 2.3 (instructions can be found in the forum[*2] ).