The security fix that is provided in this FCKeditor release is related to the vulnerability discovered in Microsoft Internet Information Services 6 (IIS6) which is caused by the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";" (e.g. "file.asp;.jpg") or in a file with an arbitrary extension located in a directory ending with ".asp". You can read more about it hereor here. If you follow the IIS best practices, this bug will not affect you, as the upload folder should never have "Execute" permissions (for any server and environment). This was stated, among others, by Microsoft itself, read more.
The latest version of FCKeditor will no longer allow unsafe characters in file and folder names.
The CKSource team would like to thank Soroush Dalili who discovered and reported this issue!
Please note FCKeditor is a retired and no longer supported product. No further updates will be provided and it is highly recommended to upgrade to its successor, CKEditor, that is a far superior, feature-rich and mature product.