Forum Activity
- espaan responded to »Links for Categories in Content« 09:31 AM
- HalbrookTech responded to »Flash Slideshow in Andreas08 Theme Header - LOAD FAIL« 08:58 AM
- espaan responded to »PN 0.764 to Zikula 1.1.2 (migration) Internal Server Error« 07:18 AM
- Paustian responded to »Clip & Form validation« 02. Feb
- ccandreva responded to »PostWrap for zikula 1.2.8« 02. Feb
- kmorrise responded to »IE CSS hack« 28. Jan
- MarcPare responded to »Remove "CoZi" and replace with "gitHub"?« 27. Jan
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
News
Articles: Security issues with file editors in Scribite before v3.2
scribite! is a 3rd party extension for Zikula that supports integration of various wysiwyg editors to edit your page contents. It contains external file manager libraries for FCKeditor and TinyMCE (TinyMCPUK version until scribite! 3.1) with uploading features. There are vulnerabilities in these file managers that allow write access to your file system and pose a severe risk to security.
The solution:
- Delete TinyMCPUK (the one included until scribite! 3.1) from /javascript/scribite_editors/tiny_mce.
- Delete FCKeditor from /javascript/scribite_editors/fckeditor.
- Upgrade to version 4.1 or later.
- It is important to completely delete the editors before upgrading the new version because some file locations have changed!
Explanation:
The vulnerabilities are specifically with the external file managers, not within "scribite!" or Zikula. The WYSIWYG editors include 3rd party filemanagement tools which can be loaded without using the scribite! framework for Zikula thus bypassing Zikula's security checks. If the upload folders are are writable, any user can upload files into these folders without permission check. Changing folder permissions to readonly will prevent this, but just to be sure, the editors should be deleted.
What next?
scribite! will continue supporting functions for TinyMCE, using version packaged from http://tinymce.moxiecode.com/download.php above without the file manager, but it's not included in scribite!. FCKeditor will be replaced with CKeditor (http://ckeditor.com/) in "scribite!" version 4.2 . "scribite!" 4.1 also supports gettext and has some important modifications in preparation for next Zikula version 1.3.0. A dedicated Zikula based file manager is being written that will take advantage of Zikula's in-built permissions system thus bypassing the the need for external filemanagers.
Comments
Comment by:
espaan
19 Dec 2009 - 07:20AM
Not so great news. The extended filemanager of Xinha does not have this problem BTW? The tinymcpuk was good while it lasted
I hope the Files module will really take of and you can integrate that one with scribite as well.