I have question on the security of the editor. To debug an error I had I used the /editor/filemanager/browser/default/connectors/test.html file.
With this I was able to see what was on the server in the Image/File directory but I als was able to upload to it. This seems like a security problem, or atleast something not wanted because everybody could upload large amount of data which for example uses up all disk space. Also there where some security issues with image libraries recently, this could be an ideal way to store the maliciouse pictures.
For now I have put a .htaccess file in the root directory of FCKeditor but this creates a double login. I there a nice way to cure this problem?
With this I was able to see what was on the server in the Image/File directory but I als was able to upload to it. This seems like a security problem, or atleast something not wanted because everybody could upload large amount of data which for example uses up all disk space. Also there where some security issues with image libraries recently, this could be an ideal way to store the maliciouse pictures.
For now I have put a .htaccess file in the root directory of FCKeditor but this creates a double login. I there a nice way to cure this problem?
RE: Security of the editor
Deleting the test.html doesn't stop some evil user to access the connectors through the editor or by using their own pages pointing to the proper files.
RE: Security of the editor
/editor/filemanager/browser/default/connectors/php/config.php
/editor/filemanager/upload/php/config.php.
I replaced the original line" "$Config['Enabled'] = true ;" with this block of code:
session_start();
if(!isset($_SESSION["Editor_login"]))
$Config['Enabled'] = false;
else
$Config['Enabled'] = true ;
Is this way secure?
RE: Security of the editor
RE: Security of the editor
http://www.myWebsite.com/MyBasepath/edi ... nector.php
RE: Security of the editor