UPDATE: We released Subtext 2.0 which also includes the fix for this vulnerability among many other bug fixes.
A Subtext user reported a security vulnerability due to a flaw in our integration with the FCKEditor control which allows someone to upload files into the images directory without being authenticated.
As far as we know, nobody has been seriously affected, but please update your installation as soon as possible. Our apologies for the inconvenience.
The fix should be relatively quick and painless to apply.
The Fix
If you’re running Subtext 1.9.* we have a fix available consisting of a single assembly, Subtext.Providers.BlogEntryEditor.FCKeditor.dll. After you download it...