Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 06:34 pm EST

News

FCKeditor input sanitization errors

  • Sunday, July 05 2009 @ 07:20 am EDT
  • Contributed by:
  • Views: 11,611
Security

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. A patch for these issues is supposed to be released this coming Monday (July 6).

Here's what we know:

  • The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not.
  • There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least.

Geeklog 1.6.0rc1

  • Sunday, June 28 2009 @ 12:10 pm EDT
  • Contributed by:
  • Views: 4,501
Announcements

We're getting there: The first Release Candidate for Geeklog 1.6.0 is now available for download.

There were only a few changes over beta 3, mostly in the install script. As the name "release candidate" suggests, we don't expect any more significant changes now, so if you haven't had a chance to try out one of the betas, now would be a good time to give 1.6.0 a test drive before it becomes final.

Geeklog 1.6.0 BETA 3

  • Sunday, June 21 2009 @ 04:20 am EDT
  • Contributed by:
  • Views: 5,312
Announcements

The third beta version of Geeklog 1.6.0 is now available for download.

This version fixes a few more issues with the new search, addresses the XSS reported for the install script, and also includes a more prominent reminder to remove the install script after installation or upgrade.

The main reason for this third beta (instead of it being rc1), however, is the last-minute addition of a new minor security feature to prevent "clickjacking". This feature requires support from the browser, though, and is currently only implemented in IE 8 and Safari 4. Other browsers will surely add support shortly.

Page navigation