WebsiteBaker Logo
  • *
  • Templates
  • Help
  • Add-ons
  • Download
  • Home
*
Welcome, Guest. Please login or register.

Login with username, password and session length
 

News

WebsiteBaker 2.13.6 is now available!

Will it continue with WB? It goes on! | Geht es mit WB weiter? Es geht weiter!
https://forum.websitebaker.org/index.php/topic,32340.msg226702.html#msg226702

The forum email address board@websitebaker.org is working again
https://forum.websitebaker.org/index.php/topic,32358.0.html

R.I.P Dietmar (luisehahne) and thank you for all your valuable work for WB
https://forum.websitebaker.org/index.php/topic,32355.0.html

* Support WebsiteBaker

Your donations will help to:

  • Pay for our dedicated server
  • Pay for domain registration
  • and much more!

You can donate by clicking on the button below.


  • Home
  • Help
  • Search
  • Login
  • Register

  • WebsiteBaker Community Forum »
  • WebsiteBaker »
  • Security Announcements »
  • Security Vulnerability (all FCKEditor modules prior to 2.75)
  • Print
Pages: [1]   Go Down

Author Topic: Security Vulnerability (all FCKEditor modules prior to 2.75)  (Read 26240 times)

doc

  • Guest
Security Vulnerability (all FCKEditor modules prior to 2.75)
« on: October 22, 2007, 09:07:17 PM »
Dear community,

the forum member sogua informed me that the WebsiteBaker FCKEditor module has a security vulnerability.
All WB FCKEditor modules < 2.75 are affected.

What does it mean?
The bug allows any user to upload files such as images, movies or textfiles (.txt) to the WB MEDIA directory. The user does not require access to the WB backend!!!

Also the default settings of the FCKEditor module prevent the upload of PHP files, this bug can be used to replace images on your server (defacing) or to upload files with sexual or forbidden contents.

Solution:
Upgrade to the latest released version (FCKEditor module v2.75 or higher) which includes security patches. First backup your configuration files in modules/fckeditor/wb_config via (FTP) if you applied changes there. Then download the latest FCKEditor module from the Addons repository. Replace the files contained in /wb_config with the ones you backuped. Install this ZIP package via the WB backend.

Check if the MEDIA directory contains any files not uploaded by yourself or any changed files. Only the MEDIA directory and the subfolder contained in MEDIA can be affected.

Note:
Other WYSIWYG editors may be affected too. We therefore recommend to place a .htaccess password protection (requires a Apache webserver) in the WYSIWYG module folder (e.g. /modules/xinha/.htaccess).

Please read the following information to learn more about creating a HTACCESS restriction. A online password generator can be found here.

Sorry for any unconvenience caused by this.
Christian Sommer (doc)

P.S.: Disabling the FCKEditor from the WB backend does not solve the problem, you need to update, deinstall or secure by htaccess.
« Last Edit: October 29, 2007, 08:55:37 PM by doc »
Logged

muthu

  • Guest
Re: Security Vulnerability (all FCKEditor modules prior to 2.75)
« Reply #1 on: September 23, 2008, 07:31:01 PM »
you need to set the media access rights controlled by WebsiteBaker for this group (advanced settings). Specify if the user is allowed to view, upload, create folders.

Only if this permissions are set, users of this group can access the media directory with FCK.
----------------------------
Muthu


 For Sale By Owner
Logged
  • Print
Pages: [1]   Go Up
  • WebsiteBaker Community Forum »
  • WebsiteBaker »
  • Security Announcements »
  • Security Vulnerability (all FCKEditor modules prior to 2.75)
 

  • SMF 2.0.19 | SMF © 2017, Simple Machines
  • XHTML
  • RSS
  • WAP2