While I was leaving for Barcelona to visit a friend and to enjoy Les Festes de la Mercè, a user of Subtext found a security problem in our integration with the WYSIWYG editor FCKeditor. And only one day after it has been discovered Phil released a security patch that fixes the problem.

The vulnerability allowed a user to upload files in the images folder of a blog without being authenticated.

To secure your installation of Subtext just download the secured version of the FCKeditor provider dll, or, as workaround, remove the following folder: Providers\BlogEntryEditor\FCKeditor\editor\filemanager

Technorati tags: , ,