ImpressCMS (www.impresscms.org) has released an updated version of their content management system to provide a more secure environment for the sites built on their platform. The default settings allowed anonymous access to the image upload folders. This could happen even if you do not enable the WYSIWYG (what you see is what you get) editors for any group.
It is strongly recommended you take action to reduce the risk of your sites being compromised.
You have a few options you can choose from -
- If you are not using FCKeditor, you can remove it completely from your server. This is a good practice to follow for any feature or module you are not using.
- You can download and apply the patch provided for ImpressCMS 1.2.5. If you are running an older version of ImpressCMS (versions 1.1 through 1.2.3), you will want to download and use the upgrade versions.
- You can modify the FCKeditor configuration file to restrict uploads to specific groups.
Please be aware that the patch provided by ImpressCMS completely removes the upload capabilities for FCKeditor and you will need to provide other means for adding photos and images. In its patched form, the contributors will only be able to paste a link to an image found elswhere. The builtin imagemanager was integrated into FCKeditor using this risky configuration.
Given the approach the ImpressCMS team has taken, I suspect there will be another release coming that will restore the functionality in a much more secure manner. So, you won't need to use option 3 if you prefer to use FCKeditor.