CKEditor 4
Wed, 02/23/2005 - 13:52
#1
bburnett71
bburnett71's picture
Joined: 10/06/2005
Posts: 12

Unofficial filemanager php connector Security

First off, both the FCKEditor and the unofficial file manager/php connector are very handy.

However, I noticed that there isn't anything preventing a user from uploading a file named file.jpg and then renaming it to file.php (with whatever php code it really contains).

Also, I tried to read a session variable from command\renamefile.php file to make sure that the user was logged in and had a particular security right before renaming files but it seems to interfere with the XML transmission?

Finally, am I right to be concerned that if a hacker knows the path to the XML connector they could do cross site file uploads (set up a form on one server that calls the XML connector on my server and posts their files)? I might have overlooked some code that makes sure its coming from the local server?

I can probably modify the rename function to prevent renaming files with banned extensions, but have about given up on the session variable part....

Any help or advice?
Top
Mon, 01/24/2005 - 06:08
mcukstorm
mcukstorm's picture
Joined: 05/06/2005
Posts: 126

RE: Unofficial filemanager php connector Secu

I have written a version including the ability to pass a security token to the file manager. Im not happy to release it in its current state (not the auth bit some otherbits are half finished) but if you want to try it send me a msg and ill mail you the dev copy.

Renaming to a non allowed extension will be fixed.
Top
Wed, 02/23/2005 - 13:33
bburnett71
bburnett71's picture
Joined: 10/06/2005
Posts: 12

RE: Unofficial filemanager php connector Security

Grant you probably already know this but I see that this is also an issue with the ASP connector.

You can upload a file and then rename it to a restricted extension. I trust my users on the two apps that I am using this on so far, but that might not always be the case.

I can try to work on fixing this on either the ASP or PHP end if needed.

Thanks
Top
Wed, 02/23/2005 - 13:52
mcukstorm
mcukstorm's picture
Joined: 05/06/2005
Posts: 126

RE: Unofficial filemanager php connector Secu

The latest version of the PHP connector labelled beta on the fbxp site contains a fix for this problem, however as i no longer have a running copy of the fckeditor on a windows/iis/asp platform i have not updated the asp version. If you wish to make this change i will be more than happy to publish the updated version on the site with relevant accreditation.

Kind Regards,
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check