The file manager packaged with versions of the fckeditor library older than 2.6.4.1 is vulnerable to a directory traversal attack, as described at CVE-2009-2265.

Therefore, I believe this module should refuse to activate the file manager if the installed version of the library is too old.

I personally only learnt about this problem via the debian security announcements list, which most Drupal site admins don't read. I believe that deprecating the older versions of this module is necessary for them to learn about this problem.

I have not written a patch because I preferred to upgrade this library for sites I maintain, and I believe the module maintainers can probably do this better, but if it would help I can write this patch and post it here.

(I have already reported this to the Drupal security team, but they informed me that security issues for external libraries not hosted on drupal.org are outside the scope of their responsibilities. I then reported this privately to a module maintainer via the user contact form on 18 July 2009, but received no response. So, I have decided to report this publicly.)

Comments

Jorrit’s picture

Jorrit CreditAttribution: Jorrit commented
Version: 5.x-2.2 » 6.x-2.x-dev
Status: Active » Fixed

Only the 6.x-2.x branch contains code that figures out the version of the FCKeditor sources, so only a fix can be implemented there. I have chosen to show just a regular Drupal warning.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.