the forum member sogua
informed me that the WebsiteBaker FCKEditor module has a security vulnerability. All WB FCKEditor modules < 2.75 are affected.What does it mean?
The bug allows any user
to upload files such as images, movies or textfiles (.txt) to the WB MEDIA directory. The user does not require access to the WB backend!!!
Also the default settings of the FCKEditor module prevent the upload of PHP files, this bug can be used to replace images on your server (defacing) or to upload files with sexual or forbidden contents.Solution:
Upgrade to the latest released version (FCKEditor module v2.75 or higher) which includes security patches. First backup your configuration files in modules/fckeditor/wb_config via (FTP) if you applied changes there. Then download the latest FCKEditor module from the Addons repository. Replace the files contained in /wb_config with the ones you backuped. Install this ZIP package via the WB backend.
Check if the MEDIA directory contains any files not uploaded by yourself or any changed files. Only the MEDIA directory and the subfolder contained in MEDIA can be affected.Note:
Other WYSIWYG editors may be affected too. We therefore recommend to place a .htaccess password protection (requires a Apache webserver) in the WYSIWYG module folder (e.g. /modules/xinha/.htaccess).
Please read the following information
to learn more about creating a HTACCESS restriction. A online password generator can be found here
Sorry for any unconvenience caused by this.
Christian Sommer (doc)
P.S.: Disabling the FCKEditor from the WB backend does not solve the problem, you need to update, deinstall or secure by htaccess.