A member of the Subtext team discovered a security vulnerability due to our integration with the FCKEditor control as well as the FreeTextBox control. This vulnerability would potentially allow unauthenticated users to upload files using the file upload tools included with these editors.

The Fix

If you’re running the latest version of Subtext (Subtext 2.1.1), the quickest way to patch your installation is to copy the following web.config file…

<configuration>
    <system.web>
        <authorization>
            <allow roles="Admins" />
            <deny roles="HostAdmins"/>
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

…to the following directories within the Providers\BlogEntryEditor
directory.

  • FCKeditor\editor\filemanager\browser\default\connectors\aspx\
  • FCKeditor\editor\filemanager\upload\aspx\
  • FTB\

If you’re running an older version or would rather not have to hunt through your installation, upgrade to Subtext 2.1.2. The only difference between this version and 2.1.1 is the change mentioned above.

Notes

This is the second time we’ve been bitten by integration issues with these rich text editors. The Subtext team takes security very seriously and regret that this vulnerability was released. We’ll take a hard look at these integration points and may consider turning them off by default or some other mitigations. I have a feeling that most of our users use Windows Live Writer or some other such application to post to their blog anyways.

You might wonder why we don’t simply include that web.config file within the Providers directory. I tested that out and unfortunately it breaks FCKEditor for no good reason that I could deduce.

Again, I feel terrible that this happened and we’ll work hard to ensure it doesn’t again. My thanks goes to Si Philp who found the issue and discreetly reported it.

Download

The URL to the new version of Subtext is here.