Well ,I'am an admin of a large network ,many webapp in the network using fckeditor . I noticed that there is a
security update about fckeditor from 2.6.4 to 2.6.4.1 At site securityfocus , I found this thread:
http://www.securityfocus.com/bid/31812 FCKeditor 'CurrentFolder' Parameter Arbitrary File Upload Vulnerability.
But I download the lastest version 2.6.4.1 and 2.6.4 compare them find that the vul listed in securityfocus seems doesn't in the version 2.6.4, the vul file
even not existed(the arbitray file upload vulnerability)! All I notice is that some XSS vuls are fixed .
Is it nessary to update all the fckeditor in my network ,
cos' that's really a lot of work .
Best Regards
Sat, 07/11/2009 - 04:07
#1
Re: security issues about update to 2.6.4.1
If you aren't using it and you have deleted it as well as the _samples then you don't need to worry, but if you are using the filemanager then you should review and probably upgrade that code (the editor itself hasn't been changed at all)
Please, note that the PoC samples included in that advisory are wrong, they target other vulnerabilities NOT in FCKeditor but in the configuration in other applications that have included FCKeditor and made custom modifications to the file manager.