User Functions


There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

Downloads last 2 weeks

No new files

Welcome to Geeklog Tuesday, December 06 2016 @ 07:02 am EST

File uploads through FCKeditor

  • Contributed by:
  • Views:

A user by the name of t0pP8uZz has demonstrated that the file upload capabilities of FCKeditor, as shipped with Geeklog, can be used to directly upload various sorts of files to a website running Geeklog. The file types are still restricted by FCKeditor's whitelist of allowed types, so it's not possible to upload PHP scripts or the like. Still, this is not something that should be possible as it has the potential for malicious use.

The issue affects Geeklog 1.4.1 and 1.5.0 and possibly other versions when FCKeditor was updated manually.

We will be addressing this problem in the upcoming 1.5.1 release of Geeklog. In the meantime, here's a list of things you can do now:

Remove FCKeditor

If you're not using FCKeditor on your site, you can simply remove the entire fckeditor directory from your webspace. Please note that disabling the Advanced Editor option in the Configuration is not enough.

Disable uploads

If you want to continue using FCKeditor but don't need the ability to upload files through it, you can disable that option in FCKeditor. Please find the following file:

  • for Geeklog 1.4.1 (FCKeditor 2.3.1): fckeditor/editor/filemanager/upload/php/config.php
  • for Geeklog 1.5.0 (FCKeditor 2.6): fckeditor/editor/filemanager/connectors/php/config.php

In either file, find the line that reads

$Config['Enabled'] = true ;

and change it to = false;

You may want to check for both config files, in case you upgraded from an earlier Geeklog version by overwriting the files. Since the position of the file within FCKeditor changed, you may still have a copy of the old file on your site.

Prevent direct upload

If you need both FCKeditor and the ability to upload files through it, you can prevent direct execution of the upload script. The location of the upload script depends on the version of FCKeditor:

  • for Geeklog 1.4.1 (FCKeditor 2.3.1): fckeditor/editor/filemanager/upload/php/upload.php
  • for Geeklog 1.5.0 (FCKeditor 2.6): fckeditor/editor/filemanager/connectors/php/upload.php

At the beginning of the upload.php file, after the copyright notice but before the first require(...), add this piece of code:

if (strpos($_SERVER['PHP_SELF'], 'upload.php') !== false) {
    die('This file can not be used on its own!');

Again, you may want to check both locations, in case you have an older copy of the upload script around.


Trackback URL for this entry:

[...] martes, septiembre 09 2008 @ 08:30 GMT-6 Geeklog 1.5.1 es sobre todo una actualización del bugfix para Geeklog 1.5.0 en el cual consistia en un bug con el FCKEditor.  El primer candidato del lanzamiento está disponible [...] [read more]

[...] (KoalaSoft) martes, septiembre 09 2008 @ 09:48 CDT Geeklog 1.5.1 es sobre todo una actualización del bugfix para Geeklog 1.5.0 en el cual consistia en un error de programación que provocaba que desde el FCKEditor se pudiece [...] [read more]

[...] Geeklog 1.5.1... Media Gallery v1.... Links last 2 weeksNo recent new links Older Stories Tuesday 02-Sep File uploads through FCKeditor (0)Monday 25-Aug Bad Behavior 2.0.23 (0)Friday 22-Aug AptitudeCMS Logo Contest! (1) Reminder: Geeklog at [...] [read more]

[...] this issue are reports about Geeklog sites being hacked through two older FCKeditor-related issues (see: File uploads through FCKeditor and FCKeditor input sanitization errors). So if you haven't installed those updates yet, please do so ASAP [...] [read more]

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • File uploads through FCKeditor
  • Authored by:BMcDonald on Friday, December 12 2014 @ 01:51 pm EST

Hi, I started getting hacked through the upload.php in the fkeditor, by ali, LOADING my images folder and library folder with files.  I did what this says about preventing direct uploads and it worked to prevent anything from being uploaded into the images folder, but he/she is still uploading crap into the library folder in the images folder. 

I looked to disable uploads and noticed in the "config.php file" it has a warming.

//       WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//        authenticated users can access this file or use some kind of session checking.

I'd rather not diable uploads, so the question is, how do I ensure only authenticated users can access this file?


  • File uploads through FCKeditor
  • Authored by:BMcDonald on Friday, December 12 2014 @ 06:22 pm EST
I should mention that I'm still using version 1.4.1.