Opened 12 years ago

Closed 12 years ago

#1208 closed Bug (invalid)

Securityproblem on FCKeditor

Reported by: htom2 Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

Hello,

when i write the following after www.domain.de i can send files, scripts an make folders on the server without registration and without be logged on.

mambots/editors/fckeditor/editor/filemanager/browser/default/browser.html?Type=images&Connector=connectors/php/connector.php

What can i do, or better please make a patch. This is not good for Joomla Sites. Sorry for my bad englisch.

Thanks best regards Thomas

Change History (1)

comment:1 Changed 12 years ago by Alfonso Martínez de Lizarrondo

Keywords: Security FCK Editor removed
Priority: HighNormal
Resolution: invalid
Status: newclosed

That looks like a serious problem, but it is in the implementation of the mambot for Joomla because by default FCKeditor ships with the connectors for the file manager disabled.

So it seems that they have leave them enabled and without a protection like forcing to use a .htaccess with a password for that folder or check some session variable to enable it only if the user has been authenticated previously.

I've opened a ticket in http://joomlacode.org/gf/project/joomlafck/tracker/?action=TrackerItemEdit&tracker_item_id=7032 so closing this one.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy