osCMax Security Update - Arbitrary Upload Exploit

**trochia** · 09-26-2008, 04:42 PM

Michael,

Thank-you very much for the reply...as I wasn't sure....so if a back up DB was done, on it...and reload .2, all would be fine?

Jim

**michael_s** · 09-26-2008, 06:37 PM

I do not recommend reinstalling all files. The updated download is primarily for new installs and the only difference is that it removes the insecure files.

The easiest way to do it would be to just delete the listed files. Second easiest would be to download the new package. Then, delete the FCKeditor dir from your live site, and upload the new FCKeditor dir from the download.

No installer needed, no messing with the database or any of your other files.

**BobH** · 09-29-2008, 09:30 AM

I don't seem to be able to create links from images to pages within my site using the FCK editor within the Define Mainpage module since deleting the files/directories recommended to patch this security issue (I'm running osCMax v2.0 RC3-0-1). Has anyone else run into this?

Bob

**trochia** · 09-29-2008, 10:02 AM

FWIW, I also ran into a problem...as I was using the CSS-Fluid template.. I left my database, removed the old version, used the new version...and some of it broke...So I reverted back to what I had.... and haven't "messed" with the manual deletion deal as of yet.

If anything, I think my way of going about it will be process of elimination, and just turning off folder/file permissions....one at a time...check the site after each...and go from there...instead of doing a MASS DELETE, etc.

Jim

**michael_s** · 09-29-2008, 10:08 AM

The changes have no effect on define_mainpage or the function of fckeditor. If you are having problems, it is not related to removing the files.

The files that are removed are never used by osCMax (ever) or any of the fckeditor functions that osCMax uses, so they have no effect on anything other than being a security hole.

**trochia** · 09-29-2008, 10:19 AM

Hi Michael, I am just reporting what happened to me..

1) Using FTP I deleted the DIR that cat was in.

2) I downloaded the latest, unzipped and wnet thru the install rouitine, using the existing DB still up there.

I thought about sending you a pm, but didn't want to bother you., but if time permits... I might for the heck of it...do it a again to see if the above process duplicates itself....and report back...as I couldn't figure out what effect it would have, other than I noticed difference in folder names as I reported/questioned earlier.

Jim

**michael_s** · 09-29-2008, 10:25 AM

Via FTP, just delete the FCKeditor directory. Then upload the new FCKeditor directory. In my above post I recommended AGAINST doing what you describe. There is NO reason to reinstall the shop.

All you needed to do was remove the FCKeditor dir, then upload the new FCKeditor dir. That is it, a 2 minute operation.