FCKEditor Upload Exploit

glFusion v1.0.0 and v1.0.1 are vulnerable to unsolicited file upload via the FCKEditor.  A malicious user could upload files to the public_html/images/library/ directory of your web server using this hole.  Fortunately, the file types are filtered by the whitelist in FCKeditor so only media type files can be uploaded. This means no PHP or JavaScript files could be uploaded.  Regardless, you should update the upload.php file shipped with glFusion with the latest patched version to prevent any unsolicited uploads.

A fix is published on the glFusion Issues Page.  To manually patch upload.php, make the following modification: edit public_html/fckeditor/editor/filemanager/connectors/php/upload.php, at the beginning of the upload.php file, after the copyright notice but before the first require(...), add this piece of code:

if (strpos ($_SERVER['PHP_SELF'], 'upload.php') !== false)

{

    die ('This file can not be used on its own.');

}

Save the file and you are done.