« See all

CKFinder 2.3.1 Released

The CKSource team is happy to announce the release of CKFinder 2.3.1. This is a minor release that includes security fixes for all server-side connectors, most notably regarding Denial-of-Service (DoS) attacks (low/medium risk). We recommend updating all installations of CKFinder. Version 2.3.1 also includes a few localization updates and new language: Serbian.

Security Fixes

  • Fixed the ability to perform DoS attack by users authorized to use the sever connector and with permissions to upload files (ASP, PHP, ColdFusion).
  • Fixed the ability to cause a Denial-of-Service to files and folders on certain servers (like Apache) by users authorized to use the sever connector and with permissions to create folders. The attack was possible only inside a folder to which the user had "create folder" permissions.

We would like to thank Soroush Dalili (@irsdl) for reporting both issues.

Other Changes

  • Added new translation: Serbian.
  • Updated translations: Catalan, Chinese and Japanese.
  • Folders that start with a dot character are now disallowed by default.
  • Fixed auto-renaming of files with multiple extensions: foo.tar.gz will be renamed to foo(1).tar.gz on second upload.
  • (Java) Thumbnails were sometimes not available.

Changelog

See the whatsnew page for a list of changes.

Download

Download CKFinder now!

Support

Community support is available through our forums. Visit the support page for additional options.

CKEditor 3.6.6 Released
Merry Christmas and a Happy New Year!