Despite the fact that most of our effort nowadays goes into CKFinder 3 enhancements, we managed to squeeze into our schedule the release of CKFinder 2.6 with security patches and a refreshed look based on Bootstrap 3 - “the most popular HTML, CSS, and JS framework for developing responsive, mobile first projects on the web”.
Security Patches for XSS Issues
We have been contacted by our colleagues from Galaxy Software Services Taiwan regarding an issue discovered during penetration tests. It was related to DOM XSS and reflected XSS vulnerabilities. After confirming the issue, a security patch was developed in order to provide the fix to the general public as soon as possible. The entire application was also rigorously checked to confirm that it was the only place affected.
All identified issues are now fixed and an upgrade to CKFinder 2.6 is highly recommended.
Automatic CSRF Protection
Note for CKEditor users: In order to upload files directly inside CKEditor with updated CKFinder (with CSRF protection enabled), CKEditor should be also updated to the latest stable version (CKEditor 4.5.6 released on 9th Dec, 2015).
New Bootstrap 3 Skin
Here is a piece of good news to all our clients who are using CKFinder 2 for Java or .NET (while waiting for a suitable CKFinder 3 connector) but also for ColdFusion and classic ASP users. Following user feedback we have decided to refresh the look and feel of CKFinder 2 by adding a new optional Bootstrap skin. We hope you will enjoy it!
See the What’s New? page for a full list of changes.