Don't set $Config['Enabled'] = true ;, check instead with a session variable that the user has been authenticated previously, or set the whole connector folder under a password with .htaccess
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
You need to restrict the access to any file under the fckeditor folder. this should help you: http://www.htaccesstools.com/htaccess-authentication/
viewtopic.php?f=5&t=5777&p=15427&hilit=+filemanager+hack#p15427
http://www.fckeditor.net
alfonsoml wrote:run4it wrote:How do they get to the editor if they aren't authenticated? I mean, how do they even know it's on my site?
They just ask the server if several files that they know have weak points exists on your server. If one success, they know that you have installed that piece of software.
Check your server logs for the error 404 and you'll see that they scan lots of things.
some tags to make this post easy to find as I believe it's very important:
file browser manager filebrowser filemanager leak hacked file dump filedump
Re: filebrowser vulnerabilities
And if you have modified the connector to enable deleting of files, then besides uploading new files, an attacker can delete your files.
Re: filebrowser vulnerabilities
If there's no docs on it it can be hard te graps yes, especially the part of why there are no docs on it.
If you're not willing to respond on my questions, then don't respond please.
for anyone else trying to help, please do.
Re: filebrowser vulnerabilities
- Slap