Index: /FCKeditor/trunk/_whatsnew.html
===================================================================
--- /FCKeditor/trunk/_whatsnew.html (revision 7668)
+++ /FCKeditor/trunk/_whatsnew.html (revision 7669)
@@ -34,9 +34,14 @@
FCKeditor ChangeLog - What's New?
- Version 2.6.8
+ Version 2.6.9
Fixed Bugs:
- - Security release, upgrade is highly recommended (fixed XSS issue).
+ - Security release, upgrade is highly recommended .
+ - (ASP) File Upload Protection Bypass - reported by Soroush Dalili (@irsdl), Mostafa Azizi
+ - XSS vulnerability in built-in file manager - reported by Soroush Dalili (SecProject.com)
+
+
+ - #9716 Fix FCKeditor browser detection to work with Firefox 17 and IE 10
Index: /FCKeditor/trunk/_whatsnew_history.html
===================================================================
--- /FCKeditor/trunk/_whatsnew_history.html (revision 7668)
+++ /FCKeditor/trunk/_whatsnew_history.html (revision 7669)
@@ -33,4 +33,11 @@
FCKeditor ChangeLog - What's New?
+
+ Version 2.6.8
+
+ Fixed Bugs:
+
+ - Security release, upgrade is highly recommended (fixed XSS issue).
+
Version 2.6.7
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp (revision 7669)
@@ -281,8 +281,8 @@
If sDenied = "" Then
- oRE.Pattern = sAllowed
+ oRE.Pattern = "^(" & sAllowed & ")$"
IsAllowed = (sAllowed = "") Or oRE.Test(sExt)
Else
- oRE.Pattern = sDenied
+ oRE.Pattern = "^(" & sDenied & ")$"
IsAllowed = Not oRE.Test(sExt)
End If
@@ -300,5 +300,5 @@
oRE.IgnoreCase = True
oRE.Global = True
- oRE.Pattern = sHtmlExtensions
+ oRE.Pattern = "^(" & sHtmlExtensions & ")$"
IsHtmlExtension = oRE.Test(sExt)
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp (revision 7669)
@@ -89,4 +89,6 @@
' Attention: It must end with a slash: '/'
'
+' WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+' SWF files can be used to perform XSS attack.
Dim ConfigAllowedExtensions, ConfigDeniedExtensions, ConfigFileTypesPath, ConfigFileTypesAbsolutePath, ConfigQuickUploadPath, ConfigQuickUploadAbsolutePath
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp (revision 7669)
@@ -53,5 +53,5 @@
' Check if it is an allowed command
if ( Not IsAllowedCommand( sCommand ) ) then
- SendError 1, "The """ & sCommand & """ command isn't allowed"
+ SendError 1, "The requested command isn't allowed"
end if
Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp (revision 7669)
@@ -53,10 +53,10 @@
' Is Upload enabled?
if ( Not IsAllowedCommand( sCommand ) ) then
- SendUploadResults "1", "", "", "The """ & sCommand & """ command isn't allowed"
+ SendUploadResults "1", "", "", "The requested command isn't allowed"
end if
' Check if it is an allowed resource type.
if ( Not IsAllowedType( sResourceType ) ) Then
- SendUploadResults "1", "", "", "The " & sResourceType & " resource type isn't allowed"
+ SendUploadResults "1", "", "", "The requested resource type isn't allowed"
end if
Index: /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx (revision 7669)
@@ -67,4 +67,7 @@
HtmlExtensions = new string[] { "html", "htm", "xml", "xsd", "txt", "js" };
+ // WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+ // SWF files can be used to perform XSS attack.
+
TypeConfig[ "File" ].AllowedExtensions = new string[] { "7z", "aiff", "asf", "avi", "bmp", "csv", "doc", "fla", "flv", "gif", "gz", "gzip", "jpeg", "jpg", "mid", "mov", "mp3", "mp4", "mpc", "mpeg", "mpg", "ods", "odt", "pdf", "png", "ppt", "pxd", "qt", "ram", "rar", "rm", "rmi", "rmvb", "rtf", "sdc", "sitd", "swf", "sxc", "sxw", "tar", "tgz", "tif", "tiff", "txt", "vsd", "wav", "wma", "wmv", "xls", "xml", "zip" };
TypeConfig[ "File" ].DeniedExtensions = new string[] { };
Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm (revision 7669)
@@ -125,5 +125,5 @@
- '>
+ '>
Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm (revision 7669)
@@ -77,10 +77,10 @@
-
+
-
+
Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm (revision 7669)
@@ -59,5 +59,5 @@
-
+
Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm (revision 7669)
@@ -61,5 +61,5 @@
-
+
Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm (revision 7669)
@@ -113,4 +113,7 @@
// Attention: The above 'QuickUploadPath' must point to the same directory.
// Attention: It must end with a slash: '/'
+//
+// WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+// SWF files can be used to perform XSS attack.
Config.AllowedExtensions = StructNew() ;
Index: /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso (revision 7669)
@@ -40,4 +40,7 @@
Set which file extensions are allowed and/or denied for each file type.
+
+ WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+ SWF files can be used to perform XSS attack.
*/
var('config') = map(
Index: /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl (revision 7669)
@@ -33,4 +33,7 @@
$GLOBALS{'UserFilesDirectory'} = $rootpath . $GLOBALS{'UserFilesPath'};
+# WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+# SWF files can be used to perform XSS attack.
+
%allowedExtensions = ("File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip",
"Image", "bmp|gif|jpeg|jpg|png",
Index: /FCKeditor/trunk/editor/filemanager/connectors/php/config.php
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/php/config.php (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/php/config.php (revision 7669)
@@ -120,4 +120,7 @@
*/
+// WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+// SWF files can be used to perform XSS attack.
+
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['DeniedExtensions']['File'] = array() ;
Index: /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php (revision 7669)
@@ -52,5 +52,5 @@
// Check if it is an allowed command
if ( ! IsAllowedCommand( $sCommand ) )
- SendError( 1, 'The "' . $sCommand . '" command isn\'t allowed' ) ;
+ SendError( 1, 'The requested command isn\'t allowed' ) ;
// Check if it is an allowed type.
Index: /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php (revision 7669)
@@ -48,5 +48,5 @@
// Is enabled the upload?
if ( ! IsAllowedCommand( $sCommand ) )
- SendUploadResults( '1', '', '', 'The ""' . $sCommand . '"" command isn\'t allowed' ) ;
+ SendUploadResults( '1', '', '', 'The requested command isn\'t allowed' ) ;
// Check if it is an allowed type.
Index: /FCKeditor/trunk/editor/filemanager/connectors/py/config.py
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/py/config.py (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/py/config.py (revision 7669)
@@ -118,4 +118,7 @@
# Attention: It must end with a slash: '/'
+# WARNING: It is recommended to remove swf extension from the list of allowed extensions.
+# SWF files can be used to perform XSS attack.
+
AllowedExtensions['File'] = ['7z','aiff','asf','avi','bmp','csv','doc','fla','flv','gif','gz','gzip','jpeg','jpg','mid','mov','mp3','mp4','mpc','mpeg','mpg','ods','odt','pdf','png','ppt','pxd','qt','ram','rar','rm','rmi','rmvb','rtf','sdc','sitd','swf','sxc','sxw','tar','tgz','tif','tiff','txt','vsd','wav','wma','wmv','xls','xml','zip']
DeniedExtensions['File'] = []
Index: /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py (revision 7669)
@@ -64,5 +64,5 @@
# Check if it is an allowed command
if ( not command in Config.ConfigAllowedCommands ):
- return self.sendError( 1, 'The %s command isn\'t allowed' % command )
+ return self.sendError( 1, 'The requested command isn\'t allowed' )
if ( not resourceType in Config.ConfigAllowedTypes ):
Index: /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py
===================================================================
--- /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py (revision 7668)
+++ /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py (revision 7669)
@@ -49,5 +49,5 @@
# Check if it is an allowed command
if ( not command in Config.ConfigAllowedCommands ):
- return self.sendUploadResults( 1, '', '', 'The %s command isn\'t allowed' % command )
+ return self.sendUploadResults( 1, '', '', 'The requested command isn\'t allowed' )
if ( not resourceType in Config.ConfigAllowedTypes ):