PatrickB on 04 Jan : 14:11

I just tested it....WOW....this is a BIG one!!!

I don't use HTMLArea, so I deleted the file. Now I know am save

vodler on 04 Jan : 15:21

You're welcome Lolo Irie Thanks to you to fix it !

jreaver^ on 05 Jan : 13:41

What's the exploit? Does it say like the admin password or something. Just out of interest

tosho on 05 Jan : 18:46

looks like file upload capability for anonymous visitors.

lolo, looking at the file and the proposed fix, do you think it's enough? there are other actions there which are not checked for user credentials either.

meneer on 06 Jan : 14:06

See this alert: (posted publicly last week)

Lolo Irie on 07 Jan : 06:10

tosho, sure it's not enough, but I don't have time to fix the full HTMLArea version 1 now
Like you have sen this fix didn't cost so much time and enough for the issue mentionned by meneer.

If you know other holes for HtmlArea 1, please correct them and inform us about, please.

But the best... update your e107 system, and no more fix required.

Johan Söderström on 07 Jan : 13:38

How about changing from HTMLArea (that is only slowly beeing developed now, see dynarch.com) to fckeditor (www.fckeditor.net) I have keept my eye on this project and it seems to be a good choise...

leeg on 07 Jan : 18:21

I got hit with this just before Christmas. It wouldn't hurt for all e107 sites to check their images.php files. I got to v617 by installing the v616->v617 update, which doesn't contain the subdirectories under /popups.

Lee

systemaddict on 08 Jan : 07:14

I agree. Let's have fckeditor instead of htmlarea. It's so much better. There's even the possibility of integrating an image editor (resize, crop, rotate, etc. images right there in your browser). See the demo here (Click Browse Server and hit the pencil on a jpg-picture):

Lolo Irie on 11 Jan : 09:52

I really like better this one too, but it's really slowier to load... so maybe htmlarea is not so bad.

systemaddict on 12 Jan : 01:18

Lolo> Slow to load. That's a bit strange because the author really put a lot of energy into making it load fast. It lightning fast on my computer and another great thing is that you can actually write in the textarea while the buttons are loading.

streaky on 15 Jan : 14:55

forget pre .617 - there is another one about - if you have any sense at all delete e107_handlers/htmlarea/plugins/ImageManager/images.php - at least until we manage to fix the issue - it's a biggie this so please do it, i shouldn't need to hear about anybodys servers being shelled - damn htmlarea.. *fades of into muffled expletives*

Cameron on 15 Jan : 20:05

I think fckeditor is a better option too.
If someone has already intergrated it into e107 - please send me the code and I'll try and have it as an option in 0.7
Thanks
Cam.