Contributed by: Dirk Sunday, August 30 2009 @ 01:05 pm EDT
Last week, an exploit was published that allows unauthorized direct uploads to a Geeklog site, using the PHP connector included with FCKeditor. The uploads still have to go through FCKeditor's filters, so it's not possible to use this to upload scripts and the integrity of the Geeklog site as such is not in danger. As it turns out, however, this exploit is now being used to host malware on some Geeklog sites. So it seems we completely underestimated the impact of this issue.
Geeklog 1.6.0sr2[*1] is now available for download and ships with a much more restrictive configuration for uploads through FCKeditor. There's also an archive to upgrade from 1.6.0sr1[*2] and an updated version of the drop-in FCKeditor replacement[*3] for older Geeklog versions.
If you don't use FCKeditor (aka "Advanced Editor") on your site, the easiest and safest method is to simply remove the entire fckeditor directory (from your public_html directory). Otherwise, please install one of the above updates ASAP.
Independent of this issue are reports about Geeklog sites being hacked through two older FCKeditor-related issues (see: File uploads through FCKeditor and FCKeditor input sanitization errors). So if you haven't installed those updates yet, please do so ASAP now.
In retrospect, we really dropped the ball on this one. While we were looking for a fix, we didn't realize the potential misuse of this exploit and thus didn't treat it with the urgency it would have required. Our apologies for that. I'm also taking some personal responsibility for this issue, since I'm not using FCKeditor myself and haven't really looked into it too closely. The issues in the upload configuration were really obvious (our fault, btw, not FCKeditor's) but went unnoticed. Sorry about that and we will be reviewing the FCKeditor integration for the next Geeklog release.