Contributed by: Dirk Sunday, July 05 2009 @ 07:20 am EDT
An advisory[*1] has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).
Here's what we know:
The advisory recommends disabling the file browser for now. To do this in Geeklog, open the file
(from your public_html directory) and find the line that reads
$Config['Enabled'] = true ;
Change that to
= false; and save the change. You will still see the "Browse" buttons in FCKeditor, but they won't let you browse your server's directories any more.
If you don't use FCKeditor, you can simply remove the entire fckeditor directory (again, in public_html).
It's very frustrating for us not to be able to provide you with more information. The above is a summary of the situation as we understand it, to the best of our knowledge. Once the update for FCKeditor is out, things will (hopefully) become clearer and we can provide you with more and better advice on how to secure your site.
We're also delaying Geeklog 1.6.0rc2 until the FCKeditor update is available.