Are there any docs on the vulnerability that occurs when you set you rfilebrowser "$Config['Enabled'] = true ;" and how to prevent this?
Is it that the FCKeditor itself needs to be behind a login and that 'fckeditor/editor/filemanager/connectors/test.html' should not be browsable or are there other thins to take care of?
An advice I found on the forums is:
Don't set $Config['Enabled'] = true ;, check instead with a session variable that the user has been authenticated previously, or set the whole connector folder under a password with .htaccess
which is also stated in the config.php of the file browsers of the latest FCKeditor versions:
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
or your other option
You need to restrict the access to any file under the fckeditor folder. this should help you: http://www.htaccesstools.com/htaccess-authentication/
Re: filebrowser vulnerabilities
And if you have modified the connector to enable deleting of files, then besides uploading new files, an attacker can delete your files.
Re: filebrowser vulnerabilities
If there's no docs on it it can be hard te graps yes, especially the part of why there are no docs on it.
If you're not willing to respond on my questions, then don't respond please.
for anyone else trying to help, please do.
Re: filebrowser vulnerabilities
- Slap