phpList 2.10.19

Following an advisory from my hosting service the demonstration version 2.10.19 has now been retired from this site though the code enhancements (aka hacks) will remain available for download. This has come about because of the xss and asp vulnerabilities in the fckeditor.js file (v2.6.3) as described in Wiktor’s post 12/06/2012 when he announces that 2.6.9 has been released as well as informing everyone that FCKEditor itself is no longer supported.

We would like to inform you that an update to FCKeditor has just been released. This is a security release that contains a fix for two recently reported issues:

•(ASP) File Upload Protection Bypass – reported by Soroush Dalili (@irsdl), Mostafa Azizi
•XSS vulnerability in built-in file manager – reported by Soroush Dalili (SecProject.com)
Also in this version the detection of IE10 and Firefox17+ has been fixed.

Please note FCKeditor is a retired and no longer supported product. No further updates will be provided and it is highly recommended to upgrade to its successor, CKEditor, that is a far superior, feature-rich and mature product

To read this please go to the following page FCKEditor Retired

Now the good bit it, looks as though the version of FCKEditor that has been rolled out with phpList 3.0.x (as a plugin – FCKphpList) is based on fckeditor.js version 2.6.8 i.e. the version before the upgrade and before the editor was officially retired by it’s developer. Fortuneately I have never used either of the editors provided with phpList preferring to use Dreamweaver.

In order to keep your hosting provider happy and your site safe from potential hackers using the xss vulnerability I would suggest removing FCKEditor from your production version of phpList.

Alan G Fairhall (aka AlanGeorge)