We urge all our clients to upgrade their CMS applications installed along with the 3rd party plugins/modules/themes installed in it.
There are several third party plugins which are vulnerable and need regular update to fix these vulnerabilities. One such plugin is FCKeditor.
FCKeditor contains functionality to handle file uploads and file management. A remote attacker could use this functionality to upload malicious executable files on the system.
Applications using FCKEDITOR (prior to v22.214.171.124 and some newer versions) are vulnerable and can be used to upload malicious files (Webshell and other Backdoor Shells), which could exploit client applications and may corrupt/modify the website files and at the same time could affect other client applications on the same server.
CMS applications using kindeditor (v4.1.5, v4.1.6 or some other versions) are also vulnerable and can be used for remote file upload further risking website files and the server as a whole.
Thus, we would like all our clients to make sure that they upgrade CMS plugins such as FCKeditor or CKeditor to their latest versions.
Tuesday, June 30, 2015