We are migrating CKEditor issue tracking to GitHub. Please, use GitHub to report any new issues.

The former tracking system (this website) will still be available in the read-only mode. All issues reported in the past will still be available publicly and can be referenced.

Important: we decided not to transfer all the tickets to GitHub, as many of them are not reproducible anymore or simply no longer requested by the community.
If the issue you are interested in, can be still reproduced in the latest version of CKEditor, feel free to report it again on GitHub.
At the same time please note that issues reported on this website are still taken into consideration when picking up candidates for next milestones.

To report a new issue, go to https://github.com/ckeditor/ckeditor-dev/issues and follow the instructions in the issue template.

Context Navigation

← Previous Ticket
Next Ticket →

Opened 17 years ago

Closed 17 years ago

#1657 closed Bug (invalid)

security issue

Reported by:	Ireneusz Sawicki	Owned by:
Priority:	Normal	Milestone:
Component:	File Browser	Version:	FCKeditor 2.5
Keywords:		Cc:

Description

I don't know how to exactly name it either feature or bug ;-) but typing 'http://(websitehost)/fckeditor/editor/filemanager/browser/default/browser.html' in browser url input enables any user to browse/upload files on server in catalogues specified in config file, without any authentication.

Change History (1)

comment:1 Changed 17 years ago by Alfonso Martínez de Lizarrondo

Priority:	High → Normal
Resolution:	→ invalid
Status:	new → closed

The config file states that you must be sure that only authenticated users must be able to access that file or that you must use some session validation. By default all the connectors are disabled and you choose how to enable it.

Note: See TracTickets for help on using tickets.

Download in other formats: