[geeklog-devel] security issue editor(s)

Tom websitemaster at cogeco.net
Sat May 17 10:52:05 EDT 2014 

I believe it was Dengen who integrated the CKEditor so hopefully he will
provide a more in-depth answer.

 

I have never really taken a good look at the editor code but pre Geeklog
2.0.0 the FCKEditor files were always accessible by anyone who knew the
exact url (just like now). 

 

I assume that the authors of the editor software have taken this into
account and provided the necessary security measures.

 

For the file manager / editor php files that tie in with Geeklog, they
either do not allow direct access or have Geeklog's security in place to
make sure the user has access to the feature. This is the same type of
security used to access our admin interface etc.

 

The downside of using popular open source code for different features is you
will get bots looking for security holes.  I get tons of bots hitting my
site looking for specific wordpress and joomla files.

 

One feature request to maybe make things more secure is that we could allow
only so many requests by an ip to a feature they don't have access to before
it is blocked for a period of time. The problem with this is we could also
end up blocking Googlebot etc.. by accident (when they try to access stuff
they shouldn't)

 

As far as htaccess that is not my expertise (I am a IIS guy) so maybe
someone else can comment on it

 

Tom

 

From: geeklog-devel [mailto:geeklog-devel-bounces at lists.geeklog.net] On
Behalf Of Wim Niemans
Sent: May-16-14 7:09 PM
To: Geeklog Development
Subject: [geeklog-devel] security issue editor(s)

 

 

See http://project.geeklog.net/tracking/view.php?id=1763 

 

Summary:                    editor files are wide open for abuse
Description: 
If an anonymous attacker 'knows' the exact url, all files of FCKeditor are
wide
open for abuse.
Some html display errors, like no valid xml response from server, and all
php
execute.
Maybe this is also true for the CKeditor.

Additional Information: 
Can this be solved by a htaccess entry?
---------------------------------------------------------------------- 
This needs special attention because attacks are detected on the file
manager
connector already. 

 

Wim

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20140517/ed22040d/attachment.html>

More information about the geeklog-devel mailing list