« See all

CKFinder 2.3.1 Released

The CKSource team is happy to announce the release of CKFinder 2.3.1. This is a minor release that includes security fixes for all server-side connectors, most notably regarding Denial-of-Service (DoS) attacks (low/medium risk). We recommend updating all installations of CKFinder. Version 2.3.1 also includes a few localization updates and new language: Serbian.

Security Fixes

  • Fixed the ability to perform DoS attack by users authorized to use the sever connector and with permissions to upload files (ASP, PHP, ColdFusion).
  • Fixed the ability to cause a Denial-of-Service to files and folders on certain servers (like Apache) by users authorized to use the sever connector and with permissions to create folders. The attack was possible only inside a folder to which the user had "create folder" permissions.

We would like to thank Soroush Dalili (@irsdl) for reporting both issues.

Other Changes

  • Added new translation: Serbian.
  • Updated translations: Catalan, Chinese and Japanese.
  • Folders that start with a dot character are now disallowed by default.
  • Fixed auto-renaming of files with multiple extensions: foo.tar.gz will be renamed to foo(1).tar.gz on second upload.
  • (Java) Thumbnails were sometimes not available.

Changelog

See the whatsnew page for a list of changes.

Download

Download CKFinder now!

Support

Community support is available through our forums. Visit the support page for additional options.

Share this post

Linkedin Reddit
CKEditor 3.6.6 Released
Merry Christmas and a Happy New Year!