Forums (Obsolete)

Member

scott_hancock-urmc.rochester - 7/25/2011 1:57:08 PM

FCKedit Security Vulnerability

Hi,

A consultant brought to our attention that FCKedit has a security vulnerability in the file upload module. It basically allows an attacker to upload an arbitrary file to the server (like an aspx file) which can then be executed. Now my manager is talking about switching to another editor inside of Kentico. I would like to know if Kentico has taken care of this bug in the FCKeditor in the CMS and what Kentico does about security bugs that are found in third party components like FCKEdit.

Thanks,
Scott

Member

kentico_michal - 7/28/2011 2:12:10 AM

RE:FCKedit Security Vulnerability

Hello Scott,

We are not aware of any bug related to file upload. Moreover, because of the fact that Kentico CMS checks allowed file extensions, FCKEditor in Kentico can be considered as a safe solution. Just for your information, there will be a new CKEditor used instead of FCKEditor in the next version of Kentico CMS 6.0 (Q3-Q4/2011).

Best regards,
Michal Legen

Member

scott_hancock-urmc.rochester - 7/28/2011 10:41:31 AM

RE:FCKedit Security Vulnerability

It's a very serious vulnerability that's been around for a while and since it will be a while until we're ready to upgrade, I and my manager are concerned. Here are some references:

http://www.techrepublic.com/blog/security/highly-critical-fckeditor-vulnerability-reported/321
http://www.securityfocus.com/bid/31812
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2006-0658
http://secunia.com/advisories/18767/

Scott


Member	scott_hancock-urmc.rochester - 7/28/2011 10:44:18 AM RE:FCKedit Security Vulnerability Here is a more comprehensive list. http://web.nvd.nist.gov/view/vuln/search-results?query=fckeditor&search_type=all&cves=on


Member	kentico_michal - 7/29/2011 2:03:02 AM RE:FCKedit Security Vulnerability Hello, Kentico CMS R2 uses almost the last released version of FCKEditor (in particular 2.6.5), so I believe that according to this article the bug (Highly critical FCKEditor vulnerability reported) has been fixed in the FCKEditor 2.5. Best regards, Michal Legen

Member

scott_hancock-urmc.rochester - 7/29/2011 7:59:12 AM

RE:FCKedit Security Vulnerability

Hello,

I checked and the last released version is FCKEditor 2.6.6 (February 2010). The release history shows that 2.6.5 was a security release and 2.6.6 just had bug fixes. Will you be adding the latest version to the CMS (v.5) for people who are not upgrading to v.6?

Fixed in 2.6.6
Avoided infinite loop in IE with invalid HTML
The editor was not loading properly in Safari 3

Thank you for looking into this

Scott

Kentico Support

kentico_zdenekc - 8/3/2011 4:08:14 PM

RE:FCKedit Security Vulnerability

Hi,

We don't plan to add that updated version to the current releases (5.5 R2) of Kentico CMS.

The bug descriptions says:
The vulnerability is caused due to an error in the handling of file uploads in editor/filemanager/upload/php/upload.php when a filename has multiple file extensions.

It is a fix for some FCKeditor default script, which is not used in Kentico CMS port, so it shouldn't have any influence on the security.

The infinite loop issue has not been reported yet, it seems to appear only in special cases as well.

If you're experiencing any of the issues, please let us know.

Regards,
Zdenek Cetkovsky