I run FCKEDITOR 6.x-2.3 on a drupal 6 website, a bunch of hacker team worked to see if there is any security issue on website and they found some vulnerabilities with FCKEDITOR, an anonymous user can upload files to the server using some uploader like this one to the server.

for an anonymouse user I can access direcotries such as:

sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html

sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/frmupload.html

to upload my uploader file. is there a way to fix it? or I should forget about using FCKEDITOR or any other wysiwyg editors?

Comments

Have you followed the instructions at http://drupalcode.org/project/fckeditor.git/blob/refs/heads/6.x-2.x:/REA... ? That include should take care of security.

Thanks for your reply jorrit, but the part you mentioned is for how to enable the built-in file browser, I'm using IMCE for that, do I need to switch back to built-in? does that solve the problem ?

See also line 189 in the README.txt.

(if you are using IMCE then make sure that *no* roles have the permission "allow fckeditor file uploads".

Maybe the filebrowser is enabled on your site (per the instructions at line 166). In which case, disable it also.