Urgent: Subtext Security Patch

personal 0 comments suggest edit

UPDATE: We released Subtext 2.0 which also includes the fix for this vulnerability among many other bug fixes.

A Subtext user reported a security vulnerability due to a flaw in our integration with the FCKEditor control which allows someone to upload files into the images directory without being authenticated.

As far as we know, nobody has been seriously affected, but please update your installation as soon as possible. Our apologies for the inconvenience.

The fix should be relatively quick and painless to apply.

The Fix

If you’re running Subtext 1.9.* we have a fix available consisting of a single assembly, Subtext.Providers.BlogEntryEditor.FCKeditor.dll. After you download it (Subtext1.9.5-PATCH.zip 7.72KB) , unzip the assembly (I recommend backing up your old one just in case) and copy it into your bin directory.

Alternative Workaround

If you’re running a customized version and the above patch causes problems, you can workaround this issue by backing up and then temporarily removing the following directory in your installation.

Providers\BlogEntryEditor\FCKeditor\editor\filemanager

Notes

The Subtext team takes security very seriously and we regret that this flaw made it into our system. We appreciate that a user discretely brought it to our attention and worked quickly to create and test a patch. I went ahead and updated the release on SourceForge (if you’ve downloaded Subtext-1.9.5b then you’re safe) so that no new downloads are affected.

The code also has been fixed in Subversion in case you’re running a custom built version of Subtext.

I will follow up with a post later describing the issue in more detail and what we plan to do to mitigate such risks in the future. I’ll also write a post outlining general guidelines for reporting and handling security issues in an open source project based on guidance provided by the Karl Fogel book, Producing Open Source Software.

Again, I am sorry for any troubles and inconvenience this may have caused. If you know any Subtext users, please let them know. I’ll be updating the website momentarily.

Download

Again, here is the patch location.

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.

Comments

avatar

9 responses

  1. Avatar for Jayson Knight
    Jayson Knight September 20th, 2007

    And now all the hackers know what to attack on SubText sites that aren't patched. I don't think I would have given much detail on the exact specifics of the vulnerability in this case.

  2. Avatar for Haacked
    Haacked September 20th, 2007

    Well all the information you need is in the patch itself using Reflector. However, I think the attack isn't trivial in that someone would have to dig around a bit to find out exactly how to exploit it.

  3. Avatar for Braden
    Braden September 20th, 2007

    Thanks for the heads up and for the patch which fixes the problem.
    I've applied the painless-to-apply-patch to my site and all's well again.
    Best -
    Braden
    P.S. In response to Jason's comment: Jason, those who are already running Subtext should already have the know-how to make sure that their web servers and all corresponding web applications such as Subtext are properly patched in the first place. Sort of like what we all do during "Black Tuesday," right? :-)

  4. Avatar for Jayson Knight
    Jayson Knight September 20th, 2007

    @Braden: True, and after re-reading my comment I realize I came off like a jackass. Blame the 3 straigh 12+ hour days I've had ;-).
    But since you brought up MS...whenever they release a so called 'critical' patch, they don't spell out how to exploit it, they just say "could allow an attacker to take control of a machine" blah blah blah. I realize that in the OSS world, being transparent is a necessity, but had this been a large software package I wrote for a client, they would not have been happy had I published the steps needed for an attacker to take advantage of an exploit. Not happy at all.

  5. Avatar for Haacked
    Haacked September 20th, 2007

    @jayson but I didn't spell out how to exploit it.
    I said, "which allows someone to upload files into the images directory without being authenticated" but didn't say how one would go about doing that.

  6. Avatar for CodeClimber
    CodeClimber September 23rd, 2007

    Subtext security patch

  7. Avatar for Angry Hacker
    Angry Hacker September 27th, 2007

    Subtext to MySQL progress report

  8. Avatar for junn.a
    junn.a September 28th, 2007

    Why not state the found bug authors

  9. Avatar for Lee Brandt
    Lee Brandt May 7th, 2008

    As always, thanks to Phil for keeping up with all this and making sure everyone is aware and able to get the patch and apply it. We all know you have a super-busy schedule and appreciate you taking the time to give as much info as possible.