JCE 2.0.11 and JCE 184.108.40.206 have been released. Both updates include important security fixes and all users are urged to upgrade as soon as possible.
A vulnerability has been reported in JCE 2.0 and JCE 1.5 that allows a logged in user - who has access to JCE (ie: they can created or edit articles) and any of the Image Manager, Image Manager Extended, File Manager, Media Manager or Template Manager plugins - to view and manipulate files and folders outside of the folder assigned to these plugins.
JCE 2.0.11 and JCE 220.127.116.11 add additional security checks to fix the vulnerability. Additional checks have also been added to some functions in the Image Manager Extended and Template Manager plugins.
Recommendations for securing JCE
JCE 2.0 and JCE 1.5 include a system that allows you to control who has access to JCE plugins (such as the Image Manager) and the features of these plugins (such as delete, rename etc.). Despite the additional security checks added in this update, it is advisable to take advantage of the Profile / Group system to restrict the use of JCE to trusted users and usergroups only, and not allow arbitrary users access to filesystem plugins like the Image Manager. This can be done quickly and easily with the following steps:
- Edit each Profile (or Group in JCE 1.5) and remove any usergroups from the User Group list in the Setup tab that don't need to access the features of that profile. You can create a new Profile for some usergroups (such as Authors) with a limited set of features for the editor.
- For each of the plugins mentioned above (Image Manager, Image Manager Extended, File Manager, Media Manager, Template Manager), disable any of the functions in the Plugin Parameters section that the users and usergroups assigned to the Profile shouldn't have, eg: you might set Folder Delete and File Delete for the Image Manager to No which will prevent the users in the Profile from being able to delete folders and files.
In addition to the security fixes added, JCE 2.0.11 includes a number of bug fixes - see the Changelog for full details - as well as one new feature added to the Table button allowing you to quickly create a simple tables by selecting a grid from a dropdown menu:
The following plugins have been updated :
JCE 2.0 and its plugins can be updated quickly and easily using the Updates dialog launched from the JCE Control Panel or JCE Installer page. JCE 2.0 and JCE 1.5 can be updated by installing the new version over the old using the Joomla! Installer - see JCE Installation