I was just reading through the Firefox 2 review at Mozillazine, and spotted a potential problem with FCKeditor: go to http://mozillalinks.org/wp/2006/10/firefox-2-review/ and search for "Report Web Forgery", then look at the image immediately below that. It portrays a kafed PayPal site, but the URL looks very similar to the default FCKeditor UserFiles directories.
I'm just wondering, as a fellow filemanager developer, is there anything we should be looking out for in order to stop our applications from being used to create these forgeries?
One possibility that occurs to me is to programmatically insert a .htaccess file into the root UserFiles directory, which will convert all html/htm/shtml/etc files to text/plain, so they cannot be viewed as web pages. This should probably be a configurable option, in case some people actually use their uploaded html/htm/etc files as webpages.
Tue, 10/24/2006 - 11:05
#1
RE: FCKeditor used to create phishing sites?
I think there is not much that you can do about it. You can not condam the knife for the murder, nor the smith.
RE: FCKeditor used to create phishing sites?
Does it allow any user to upload files without restrictions? or does it make sure that the user has logged in at the server and can access only his folders?
Does it rely on cookies (bad) or does it use server sessions?
can the user upload some executable file? does the restriction still apply if the user tries to rename a file?
Are there any other potential problem in the server code? How does it handle errors?
etc...