WebsiteBaker Community Forum

WebsiteBaker => Security Announcements => Topic started by: doc on October 22, 2007, 09:07:17 PM

Title: Security Vulnerability (all FCKEditor modules prior to 2.75)
Post by: doc on October 22, 2007, 09:07:17 PM

Dear community,

the forum member sogua informed me that the WebsiteBaker FCKEditor module has a security vulnerability.
All WB FCKEditor modules < 2.75 are affected.

What does it mean?
The bug allows any user to upload files such as images, movies or textfiles (.txt) to the WB MEDIA directory. The user does not require access to the WB backend!!!

Also the default settings of the FCKEditor module prevent the upload of PHP files, this bug can be used to replace images on your server (defacing) or to upload files with sexual or forbidden contents.

Solution:
Upgrade to the latest released version (FCKEditor module v2.75 or higher) which includes security patches. First backup your configuration files in modules/fckeditor/wb_config via (FTP) if you applied changes there. Then download the latest FCKEditor module from the Addons repository. Replace the files contained in /wb_config with the ones you backuped. Install this ZIP package via the WB backend.

Check if the MEDIA directory contains any files not uploaded by yourself or any changed files. Only the MEDIA directory and the subfolder contained in MEDIA can be affected.

Note:
Other WYSIWYG editors may be affected too. We therefore recommend to place a .htaccess password protection (requires a Apache webserver) in the WYSIWYG module folder (e.g. /modules/xinha/.htaccess).

Please read the following information (http://httpd.apache.org/docs/2.2/howto/htaccess.html#auth) to learn more about creating a HTACCESS restriction. A online password generator can be found here (http://tools.dynamicdrive.com/password/).

Sorry for any unconvenience caused by this.
Christian Sommer (doc)

P.S.: Disabling the FCKEditor from the WB backend does not solve the problem, you need to update, deinstall or secure by htaccess.

Title: Re: Security Vulnerability (all FCKEditor modules prior to 2.75)
Post by: muthu on September 23, 2008, 07:31:01 PM

you need to set the media access rights controlled by WebsiteBaker for this group (advanced settings). Specify if the user is allowed to view, upload, create folders.

Only if this permissions are set, users of this group can access the media directory with FCK.
----------------------------
Muthu


 For Sale By Owner (http://www.fsbo.fastrealestate.net)