CKEditor 4
Mon, 09/13/2010 - 17:37
#1
max-mag
max-mag's picture
Joined: 09/07/2010
Posts: 13

Security problems ?

Hi,

I'm worried about security, and i checked with webapp using CKeditor and CKFinder with RATproxy, an Google Audit tool. I've a lot and a lot of high warning :(

Have you already checked CKFinder with such tools ? Of course, it can be false positive, but what do you think about. Is CK* QA uses security tools like RATproxy ?

Thanks.

Top
Fri, 09/17/2010 - 13:52
max-mag
max-mag's picture
Joined: 09/07/2010
Posts: 13

Re: Security problems ?

I understand the problem, CKFinder defines bad cache header.
For example this one :

Date: Fri, 17 Sep 2010 11:47:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Encoding: none
Etag: 4c35dbdc-a53
Last-Modified: Thu, 08 Jul 2010 14:08:28 GMT


Expires and Cache-control mismatch. Cache is allowed but date is in the past !
Will it be fixed in the next release ?

Thanks
Top
Thu, 10/28/2010 - 22:01
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Security problems ?

We have our own automated security tests for server connectors, written for CKFinder.

Setting an Expires header in the past ensures that HTTP/1.0 and HTTP/1.1 proxies and browsers will not cache the content. Regarding Cache-Control - we'll check that, thanks.

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check