Opened 17 years ago
Closed 17 years ago
#1208 closed Bug (invalid)
Securityproblem on FCKeditor
Reported by: | htom2 | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | General | Version: | |
Keywords: | Cc: |
Description
Hello,
when i write the following after www.domain.de i can send files, scripts an make folders on the server without registration and without be logged on.
mambots/editors/fckeditor/editor/filemanager/browser/default/browser.html?Type=images&Connector=connectors/php/connector.php
What can i do, or better please make a patch. This is not good for Joomla Sites. Sorry for my bad englisch.
Thanks best regards Thomas
Change History (1)
comment:1 Changed 17 years ago by
Keywords: | Security FCK Editor removed |
---|---|
Priority: | High → Normal |
Resolution: | → invalid |
Status: | new → closed |
That looks like a serious problem, but it is in the implementation of the mambot for Joomla because by default FCKeditor ships with the connectors for the file manager disabled.
So it seems that they have leave them enabled and without a protection like forcing to use a .htaccess with a password for that folder or check some session variable to enable it only if the user has been authenticated previously.
I've opened a ticket in http://joomlacode.org/gf/project/joomlafck/tracker/?action=TrackerItemEdit&tracker_item_id=7032 so closing this one.