We’d like to announce the release of CKFinder 2.5.1. This release contains a security patch for a moderate security issue in the PHP and Java server-side connectors and just a few other small changes. Read on for details!
Security Patch for Java and PHP
During our standard penetration tests we discovered a moderate security issue in the PHP and Java connectors that allowed for manipulating files in folders configured as "hidden" if the server was hosted on a Windows platform. We thus recommend to upgrade CKFinder to the latest version.
If your upgrade and support privilege have already expired, we strongly recommend renewing your license.
- By renewing your CKFinder for PHP license you can upgrade straight to CKFinder 3.1, a superior solution with built-in image editor, cloud storage support, great responsiveness and full mobile support and many more features. See the demo here: https://cksource.com/ckfinder/demo
- By renewing your CKFinder for Java license you can upgrade to 2.5.1 today and you are guaranteed a free upgrade to CKFinder 3.x for Java when it gets released in Q2/2016.
The following screenshot presents CKFinder 3.1 (currently available for PHP) at its current state:
This release also includes a handful of other changes. An issue with CKFinder showing a blank window when opened in a popup in Safari 8+ is now fixed. Apart from that, obsolete integration samples for FCKeditor and CKEditor 3.x were removed and the CKEditor 4.x integration sample was reworked to include an example on how to support drag&drop file uploads and pasting images from clipboard.
Last but not least, the following changes were introduced to the Java connector:
Initcommand now returns
resourceTypesadded dynamically in the
- It is now possible to dynamically change ACL settings in the
- Starting from this version you can also modify
config.xmlwithout restarting the server.
- CKFinder now works with various server solutions for virtual directories, so it is possible to have the userfiles folder outside of the application context.
See the What’s New? page for a full list of changes.