Are there any docs on the vulnerability that occurs when you set you rfilebrowser "$Config['Enabled'] = true ;" and how to prevent this?
Is it that the FCKeditor itself needs to be behind a login and that 'fckeditor/editor/filemanager/connectors/test.html' should not be browsable or are there other thins to take care of?
An advice I found on the forums is:
Don't set $Config['Enabled'] = true ;, check instead with a session variable that the user has been authenticated previously, or set the whole connector folder under a password with .htaccess
which is also stated in the config.php of the file browsers of the latest FCKeditor versions:
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
or your other option
You need to restrict the access to any file under the fckeditor folder. this should help you: http://www.htaccesstools.com/htaccess-authentication/
Is the whole fckeditor folder needed to be protected or only the folder 'fckeditor/editor/filemanager/connectors'.
Does this also fix everything for older FCKeditors? Older versions don't still have the leak described on viewtopic.php?f=5&t=5777&p=15427&hilit=+filemanager+hack#p15427 and perhaps there are even more leaks open in older version that have been fixed in newer versions?
Why is none of this posted on the front page, on http://www.fckeditor.net ?
A snippet of other useull info
alfonsoml wrote:run4it wrote:How do they get to the editor if they aren't authenticated? I mean, how do they even know it's on my site?
They just ask the server if several files that they know have weak points exists on your server. If one success, they know that you have installed that piece of software.
Check your server logs for the error 404 and you'll see that they scan lots of things.
some tags to make this post easy to find as I believe it's very important:
file browser manager filebrowser filemanager leak hacked file dump filedump
Re: filebrowser vulnerabilities
And if you have modified the connector to enable deleting of files, then besides uploading new files, an attacker can delete your files.
Re: filebrowser vulnerabilities
If there's no docs on it it can be hard te graps yes, especially the part of why there are no docs on it.
If you're not willing to respond on my questions, then don't respond please.
for anyone else trying to help, please do.
Re: filebrowser vulnerabilities
- Slap