Page 1 of 3
0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 4:43 pm
by Ted
Today it was brought to my attention that there is a serious security flaw in FCKeditor. Without giving too many details, let's just say that it's a pretty bad one and could possibly comprimise your system.
Please upgrade to 0.12.2 as soon as possible!
There is a diff package available for quick upgrades. Or if you really want to be quick, replace the file modules/FCKeditorX/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php with this one:
http://svn.cmsmadesimple.org/svn/cmsmad ... nector.php
I've also released 0.13beta4 to combat this problem as well.
If you are running an older version and are unsure if you want to upgrade, please contact me via the forum and I'll help you get your system patched.
Thanks so much for your patience and get the word out!
To Translators: Please copy this message to the language forums. Thanks!
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 5:07 pm
by MichaelK
Can I update version 0.12 and 0.11.1 with an new version of FCKeditor?
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 5:17 pm
by Ted
You can copy over the file as described above for the 0.12 version. For 0.11.1, it would be safer to make the change by hand.
Open up the file above in a text editor.
Add:
Code: Select all
require_once(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(__FILE__)))))))))) . '/include.php');
check_login();
right after the first set of comments.
It'll look like this:
Code: Select all
<?php
/*
* FCKeditor - The text editor for internet
* Copyright (C) 2003-2005 Frederico Caldeira Knabben
*
* Licensed under the terms of the GNU Lesser General Public License:
* http://www.opensource.org/licenses/lgpl-license.php
*
* For further information visit:
* http://www.fckeditor.net/
*
* "Support Open Source software. What about a donation today?"
*
* File Name: connector.php
* This is the File Manager Connector for PHP.
*
* File Authors:
* Frederico Caldeira Knabben (fredck@fckeditor.net)
*/
require_once(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(dirname(__FILE__)))))))))) . '/include.php');
check_login();
include('config.php') ;
include('util.php') ;
include('io.php') ;
include('basexml.php') ;
include('commands.php') ;
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 5:28 pm
by MichaelK
Thank you !!!!!
It works great with this php code for older cms versions!!
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:13 pm
by Mesmer
do I have to run upgrade.php while upgrading from 12.1 to 12.2?
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:26 pm
by cyberman
Ted wrote:
Please upgrade to 0.12.2 as soon as possible!
Or switch to TinyMCE
...
To Translators: Please copy this message to the language forums.
Done!
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:28 pm
by cyberman
Mesmer wrote:
do I have to run upgrade.php while upgrading from 12.1 to 12.2?
No.
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:31 pm
by jade22113
I just copied the files of 12.2 over my old 11.x installation.
Now it says 13 beta-4 on my site. Is that intended?
Regards...Jan
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:34 pm
by Ted
cyberman wrote:
Mesmer wrote:
do I have to run upgrade.php while upgrading from 12.1 to 12.2?
No.
Well, if you use the diff package, then no. If you download the full thing and copy it over 0.12.1, then yes (or it'll say your site is down).
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:36 pm
by Ted
jade22113 wrote:
I just copied the files of 12.2 over my old 11.x installation.
Now it says 13 beta-4 on my site. Is that intended?
Regards...Jan
Umm. No. I hope I didn't package the file wrong.
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:39 pm
by jade22113
Umm. No. I hope I didn't package the file wrong.
If you have time, please check and let me know if it was a mistake on my side...
Regards...Jan
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:45 pm
by Ted
No, I'm a total idiot. I packaged up the trunk instead of the 0.12.2 that I made. I was rushing around and it screwed me up.
The files are corrected.
Please look at your site, as it's now running 0.13beta4. If it's giving you a problem, please contact me. I'll help you revert back to 0.12.2 if necessary. At least beta4 is pretty stable. But it wasn't intended.
Sorry once again and thanks for bringing it to my attention.
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:48 pm
by jade22113
No problem...Thanks for the info. Lookimg forward to 13 stable
Cheers...Jan
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 6:49 pm
by Ted
Well, on the bright side, you pretty much have it now.
Thanks
Re: 0.12.2 Released! Please READ!
Posted: Wed May 10, 2006 9:56 pm
by stefan
Ted wrote:
Today it was brought to my attention that there is a serious security flaw in FCKeditor. Without giving too many details, let's just say that it's a pretty bad one and could possibly comprimise your system.
Can I find more information on this security flaw? I would like to fix it for TinyMCE, which also uses the same filebrowser as plugin and is probably also affected.