There’s a vulnerability allowing to upload files in the FCKeditor
version included in EGroupware 1.6.001 and EPL 9.1.
See http://www.securityfocus.com/archive/1/504721/30/0/threaded
We are working on a new security update (EGroupware 1.6.002). In the
meantime, please implemented the mitigation instructions of the above link.
In short delete the following directories or make them via unix
permissions inaccessible:
- phpgwapi/js/fckeditor/editor/filemanager/connectors (file upload)
- phpgwapi/js/fckeditor/_samples (XXS)
This will render fileupload and file/image browser unusable! Also check
if there have been files uploaded to your system (typically script to
eg. excute shell commands).
Ralf
Ralf Becker
Director Software Development
Stylite GmbH
[open style of IT]
Morschheimer Strasse 15
67292 Kirchheimbolanden
fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de
www.stylite.de
www.egroupware.org
Geschäftsführer Andre Keller, Gudrun Müller,
Nigel Vickers und Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World™ will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/blackberry
eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
