TinyMCE and Security

Posted April 17, 2012 by Purefan in phpFox v3

We have received a new report about a potential security threat to phpfox sites:
TinyMCE has a Plug-in system, you can extend TinyMCE in a number of ways. One of the add-ons for TinyMCE is a file manager, it allows you to upload files and post links to files in your server from within TinyMCE. Phpfox does not come with this add-on, we do not provide this add-on, however it has come to our attention that some clients are uploading it themselves. The add-on we have heard of is called “ajaxfilemanager”. To have this add-on in a safe way requires much work and much know-how. Our advise is not to use it at all.

Another security concern is the folder /static/jscript/ from the reports we have received it seems some clients are putting their site backups in this and other public folders.
As a general rule do not put site backups in the public folder of your web server, in other others, do not put .zip files or .sql files in /public_html/ or /httpdocs/ or anywhere you can download it from a web browser without logging in.
Apache has a rule to stop showing the contents of a directory if no index.html or index.php file is present, we cannot add this rule to the default package because some configurations may not allow this directive and it would throw a 500 error. Our next version (to be released tomorrow) will include this directive but commented out, you can enable it and if your server likes it you can use it, otherwise you know exactly what caused the problem and can revert it immediately.
We are also placing more index files in case your server does not like the .htaccess directive.

Version 3.2.0 Beta 1 is scheduled for tomorrow with new features and more bug fixes.