The CKSource team is happy to announce the release of CKFinder 2.3.1. This is a minor release that includes security fixes for all server-side connectors, most notably regarding Denial-of-Service (DoS) attacks (low/medium risk). We recommend updating all installations of CKFinder. Version 2.3.1 also includes a few localization updates and new language: Serbian.
- Fixed the ability to perform DoS attack by users authorized to use the sever connector and with permissions to upload files (ASP, PHP, ColdFusion).
- Fixed the ability to cause a Denial-of-Service to files and folders on certain servers (like Apache) by users authorized to use the sever connector and with permissions to create folders. The attack was possible only inside a folder to which the user had "create folder" permissions.
We would like to thank Soroush Dalili (@irsdl) for reporting both issues.
- Added new translation: Serbian.
- Updated translations: Catalan, Chinese and Japanese.
- Folders that start with a dot character are now disallowed by default.
- Fixed auto-renaming of files with multiple extensions: foo.tar.gz will be renamed to foo(1).tar.gz on second upload.
- (Java) Thumbnails were sometimes not available.
See the whatsnew page for a list of changes.