Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > FCKedit Security Vulnerability View modes: 
User avatar
Member
Member
scott_hancock-urmc.rochester - 7/25/2011 1:57:08 PM
   
FCKedit Security Vulnerability
Hi,

A consultant brought to our attention that FCKedit has a security vulnerability in the file upload module. It basically allows an attacker to upload an arbitrary file to the server (like an aspx file) which can then be executed. Now my manager is talking about switching to another editor inside of Kentico. I would like to know if Kentico has taken care of this bug in the FCKeditor in the CMS and what Kentico does about security bugs that are found in third party components like FCKEdit.

Thanks,
Scott

User avatar
Member
Member
kentico_michal - 7/28/2011 2:12:10 AM
   
RE:FCKedit Security Vulnerability
Hello Scott,

We are not aware of any bug related to file upload. Moreover, because of the fact that Kentico CMS checks allowed file extensions, FCKEditor in Kentico can be considered as a safe solution. Just for your information, there will be a new CKEditor used instead of FCKEditor in the next version of Kentico CMS 6.0 (Q3-Q4/2011).

Best regards,
Michal Legen

User avatar
Member
Member
scott_hancock-urmc.rochester - 7/28/2011 10:41:31 AM
   
RE:FCKedit Security Vulnerability
It's a very serious vulnerability that's been around for a while and since it will be a while until we're ready to upgrade, I and my manager are concerned. Here are some references:

http://www.techrepublic.com/blog/security/highly-critical-fckeditor-vulnerability-reported/321
http://www.securityfocus.com/bid/31812
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2006-0658
http://secunia.com/advisories/18767/

Scott

User avatar
Member
Member
scott_hancock-urmc.rochester - 7/28/2011 10:44:18 AM
   
RE:FCKedit Security Vulnerability
Here is a more comprehensive list.

http://web.nvd.nist.gov/view/vuln/search-results?query=fckeditor&search_type=all&cves=on

User avatar
Member
Member
kentico_michal - 7/29/2011 2:03:02 AM
   
RE:FCKedit Security Vulnerability
Hello,

Kentico CMS R2 uses almost the last released version of FCKEditor (in particular 2.6.5), so I believe that according to this article the bug (Highly critical FCKEditor vulnerability reported) has been fixed in the FCKEditor 2.5.

Best regards,
Michal Legen

User avatar
Member
Member
scott_hancock-urmc.rochester - 7/29/2011 7:59:12 AM
   
RE:FCKedit Security Vulnerability
Hello,

I checked and the last released version is FCKEditor 2.6.6 (February 2010). The release history shows that 2.6.5 was a security release and 2.6.6 just had bug fixes. Will you be adding the latest version to the CMS (v.5) for people who are not upgrading to v.6?

Fixed in 2.6.6
Avoided infinite loop in IE with invalid HTML
The editor was not loading properly in Safari 3

Thank you for looking into this

Scott

User avatar
Kentico Support
Kentico Support
kentico_zdenekc - 8/3/2011 4:08:14 PM
   
RE:FCKedit Security Vulnerability
Hi,

We don't plan to add that updated version to the current releases (5.5 R2) of Kentico CMS.

The bug descriptions says:
The vulnerability is caused due to an error in the handling of file uploads in editor/filemanager/upload/php/upload.php when a filename has multiple file extensions.

It is a fix for some FCKeditor default script, which is not used in Kentico CMS port, so it shouldn't have any influence on the security.

The infinite loop issue has not been reported yet, it seems to appear only in special cases as well.

If you're experiencing any of the issues, please let us know.

Regards,
Zdenek Cetkovsky