The FCKeditor team has published a security update to address issues highlighted in this security advisory.  All glFusion users are urged to apply the published updates to their sites. 

The security advisory states there are input sanitization issues that can lead to unauthorized files being uploaded to a site.  The advisory also points out several issues with the _samples directory included in the standard FCKeditor distribution.  glFusion does not include these sample directories and it only includes the PHP file connector from the FCKeditor distribution.

Please use the support forums if you have any questions or concerns.

We have released a minor update to the DokuWiki Integration plugin that resolves a potential local file include vulnerability if PHP's register_globals is on.  You can download the full DokuWiki v1.7.1 release here.

The only change in this release is to the public_html/dokuwiki/inc/init.php file. For existing DokuWiki users, you can download and apply the follow patch to resolve the issue:

public_html/dokuwiki/inc/init.php

There has been an vulnerability identified in all current glFusion versions that will allow an attacker to expose the password hash for users on your site, including the Admin user.  This could lead to an attacker successfully logging into your site using those compromised credentials.

All glFusion users should replace the listfactory.class.php source file with this updated version which will remove the vulnerability:

private/system/classes/listfactory.class.php

This exploit has highlighted some additional concerns that we are currently investigating and will post any additional updates when necessary.

Bjarne Mathiesen Schacht has reported a potential XSS issue when a site accepts anonymous comments. To resolve the issue, please update the lib-comment.php file in the private/system/ directory.

You can also disable anonymous comments which resolve the issue as well. It is still recommended that you apply the following update.

This fix can be applied to v1.1.0 and v1.1.1 of glFusion. If you are running an older version, please update to the latest release version as soon as possible.

private/system/lib-comment.php

glFusion v1.0.0 and v1.0.1 are vulnerable to unsolicited file upload via the FCKEditor.  A malicious user could upload files to the public_html/images/library/ directory of your web server using this hole.  Fortunately, the file types are filtered by the whitelist in FCKeditor so only media type files can be uploaded. This means no PHP or JavaScript files could be uploaded.  Regardless, you should update the upload.php file shipped with glFusion with the latest patched version to prevent any unsolicited uploads.

A fix is published on the glFusion Issues Page.  To manually patch upload.php, make the following modification: edit public_html/fckeditor/editor/filemanager/connectors/php/upload.php, at the beginning of the upload.php file, after the copyright notice but before the first require(...), add this piece of code:

if (strpos ($_SERVER['PHP_SELF'], 'upload.php') !== false)

{

    die ('This file can not be used on its own.');

}

Save the file and you are done.