Hi guys,
my issue its urgent and any help would be really appreciated.
I have an oracle portal site that has installed the FCKEditor 2.6.3, so recently we discovered a vulnurability issue that its very dangerous, to understand what i mean look the images below
the problem is that on the second image the url is accesible from public just by copying and pasting it in any browser..
How can we solve this issue ??
I mean to not be accesible from public just to the registered users..?? is this possible to set from somewere in the setting,, ?? i mean the fckconfig.js?? or from the php connector config???
Please some help cause i m truying with no luck to achieve this..
Thank you in advance,
If you are using a CMS that
If you are using a CMS that includes FCKeditor / CKEditor / CKFinder or any other component that we create, you should always contact the CMS vendor as he is responsible for managing/updating the libraries and for their proper setup.
FCKeditor 2.6.3 has been released in 2008 and since then a few security releases have been published. The latest version of FCKeditor has been released in 2014 (2.6.11).
The very old, built-in file manager in FCKeditor (and similarly CKFinder) have security settings in configuration files. The administrator / software vendor that integrates the library is responsible for enabling the connector for authenticated users. We distribute libraries with proper instructions on how to do this, with powerful tools to adjust the permissions (through ACL system). When this is done correctly, whether the file browser is available publicly via an URL doesn't matter, because you need to be properly authenticated first in order to use it. Whatever you see in a browser requires an URL.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Trying to find a solution on hiding the url or not accesible url
Thank you wiktor
the answer was really helpfull!
so in conclusion ,, what is your suggestions?
1. to install the 2.6.11 ? but i want the FCKeditor and not the CKeditor cause i think i will have compatibility issues ..
2. the libraries you mentioned above have to do with the CMS right?(oracle portal smthng that i m not so relevant with) Question.. is there any other way from the FCKeditor to adjust smthng on a config in order the url will not authorize pubic users to have access??
3. yeas u r absolutly right that a browser cant hide a url ,, what about a modal-lightbox ? i mean as soon as the user press the 'browse button' to pop up a modal that will not show the url,, ok this is not a solution but i m trying to find one on this problem
once again thank you for the help
1. I never used Oracle Portal
1. I never used Oracle Portal so hard to say. In general the best very short-term solution might be an update to 2.6.11 if you can't control the API that the application is using internally to enable the editor.
2. You meant FCKeditor / CKEditor / CKFinder? These three products are created by CKSource and are usually included as components in various content management systems (web applications).
I am not able to give you any instructions on what to do further in case of an integration with a 3rd party system that was not created by you and that you don't know. The documentation for FCKeditor is available here and for the Java version here. Keep in mind that FCKeditor has not been maintained for years and we've been only providing security releases for it for the past few years.
3. Nope. Wrong thinking ;-) If you even manage to "hide" the aplication in a modal window it will not change your situation in any way. The attacker will be still able to send POST requests directly to the server connector in order to perform any activities that he should not be allowed due to a misconfiguration and due to allowing anyone to use the server connector.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Thank you for the info u
Thank you for the info u really give me many hints :)
among other tries, i have tried the following again with no luck
imagine that i was trying to handle from the connector.php using the created cookies from the oracle portal and i wasnt very lucky cause i cant figure out what is the process when a user logging,, even so no cookie is created,, or at least to figure out a way to create one after succefull login... omg...
the other thing that u mentioned is very good idea concerning the api
'control the API that the application is using internally to enable the editor'
but were is it in this mess...
anyway thank you wiktor