This is the answer from CKEditor when I asked them about the vulnerability
Hi Michael,
Thank you for getting in touch with us to clarify this.
First of all, let me try to explain the difference between FCKeditor and CKEditor and some other doubts:
1) FCKeditor vs CKEditor
The name "FCKeditor" refers to all releases of FCKeditor, till 2.x. FCKeditor was retired in 2010.
Note that since 2009, the new "V3" version of the editor is available, CKEditor 3.x. Because it has no built-in file browser, it is almost impossible to have a security issue there.
There are no valid security reports for CKEditor, and if eventually one was reported, it would be fixed quickly.
2) What security issue exactly is mentioned in the table?
As stated before, the 2.x version is retired and is no longer maintained since 2010 (the last 2.6.6 release). Well, with a little exception: the last version of FCKeditor, 2.6.7, was released 29 March 2012, where a security issue was fixed soon after getting a report (more related to ASP/IIS6 than PHP, see the release announcement for more details:
http://cksource.com/forums/viewtopic.php?t=25112).
So, even for retired version we're fixing security issues, if they look critical, as long as we offer something on the download page.
3) Does the table list FCKeditor (the editor itself) or a Joomla extension that was using FCKeditor?
The table listed here:
http://docs.joomla.org/Vulnerable_Exten ... #FCKeditor does not mention neither the version of FCKeditor, which had the security issue, nor the particular security report @ secunia.com, for example. Maybe the issue is fixed already in FCKeditor?
The table is in fact very confusing, because it does not link to any particular vulnerable extension that used FCKeditor.
Did the security issue apply to the Joomla extension that was using FCKeditor, or to FCKeditor in general?
Maybe the security issue was in a component that was using FCKeditor, not in the FCKeditor itself?
Maybe the "unknown extension" was listed as vulnerable, because it did not update FCKeditor to the latest, secure version?
4) The situation in 2012
Afaik FCKeditor is no longer used by any extension. There is even no extension with such name.
At this moment I know two extensions that provide *CKEditor*:
a) The official CKEditor for Joomla integration provided by CKSource:
http://extensions.joomla.org/extensions ... tors/12821b) JCK Editor
http://extensions.joomla.org/extensions ... editors/90Again, please be aware that CKEditor is not FCKeditor. Apart from many architectural changes, the major part of server side code that could potentially cause security issues, was removed from CKEditor.
So, to summarize: the mentioned table is outdated and provides misleading information. Feel free to use CKEditor, both extensions are actively maintained, so in case of any security issues, I'm sure they will be fixed immediately.
If you participate in the discussion, feel free to cite me.
Best regards,
Wiktor Walc
CTO, CKSource
Anytime you wish you can view your question online:
http://helpdesk.cksource.com/view.php?t ... s=377q8aFS
