id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
1868	"File browser may be blocked because of possible ""Path traversal"" attack"	Wiktor Walc	Alfonso Martínez de Lizarrondo	"In Apache, mod_security is usually installed (http://www.modsecurity.org/) - it is commonly used to detect and prevent against possible attacks.
Quick example from official mod_security site (http://www.modsecurity.org/documentation/quick-examples.html):
{{{
    # Prevent path traversal (..) attacks
    SecFilter ""\.\./""
}}}

Similar rule is available in a ""Apache 2.x rules"" at http://www.gotroot.com/:
{{{
##generic recursion signatures
SecRule REQUEST_URI ""!(alt_mod_frameset\.php)"" ""chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'""
SecRule REQUEST_URI ""\.\./\.\./""
#generic path recurision si
}}}

The problem is that ../.. is used by FCKeditor:
{{{
http://www.fckeditor.net/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php
}}}
so it may be blocked in rare cases.

We should avoid passing "".."" in urls."	New Feature	closed	Normal		File Browser		fixed	Confirmed Review+