I have question on the security of the editor. To debug an error I had I used the /editor/filemanager/browser/default/connectors/test.html file.
With this I was able to see what was on the server in the Image/File directory but I als was able to upload to it. This seems like a security problem, or atleast something not wanted because everybody could upload large amount of data which for example uses up all disk space. Also there where some security issues with image libraries recently, this could be an ideal way to store the maliciouse pictures.
For now I have put a .htaccess file in the root directory of FCKeditor but this creates a double login. I there a nice way to cure this problem?
With this I was able to see what was on the server in the Image/File directory but I als was able to upload to it. This seems like a security problem, or atleast something not wanted because everybody could upload large amount of data which for example uses up all disk space. Also there where some security issues with image libraries recently, this could be an ideal way to store the maliciouse pictures.
For now I have put a .htaccess file in the root directory of FCKeditor but this creates a double login. I there a nice way to cure this problem?
RE: Security of the editor
Deleting the test.html doesn't stop some evil user to access the connectors through the editor or by using their own pages pointing to the proper files.
RE: Security of the editor
/editor/filemanager/browser/default/connectors/php/config.php
/editor/filemanager/upload/php/config.php.
I replaced the original line" "$Config['Enabled'] = true ;" with this block of code:
session_start();
if(!isset($_SESSION["Editor_login"]))
$Config['Enabled'] = false;
else
$Config['Enabled'] = true ;
Is this way secure?
RE: Security of the editor
RE: Security of the editor
Hi there,
This kind of relates to a question I asked in February -but unfortunately I got no reply. I shall paste it below. If anyone can shed even a little light I would be most grateful. And if you find an answer to your problem - zerok112 - can you let me know.
.....................................
I had a website built for me in late 2005/early 2006 utilising FCK as the text editor for the Content Management System. I recently became aware that there may be a security hole if I go directly to the following address:
http://www.myWebsite.com/MyBasepath/edi ... nector.php
Once I click on the above link - I can directly go to the image uploader from any PC wherever I may be. Obviously the domain is not correct - but I am using this as an example.
I am unfortunately not a coder - nor do I know exactly which version of FCK was used in the creation of this site. Can anyone tell me if there is a simple security fix for this problem - and if possible explain in simple terms what I may need to do to fix it?
RE: Security of the editor
You should protect the folder for example with .htaccess http://tools.dynamicdrive.com/password/ if you aren't using a session to enable the filebrowser only when the user has logged in.