Opened 11 years ago

Closed 11 years ago

#2452 closed Bug (invalid)

Test.html file could be a security issue

Reported by: jacekr Owned by:
Priority: Normal Milestone:
Component: General Version: FCKeditor 2.6.3
Keywords: Cc:

Description

In the newest version there is a file: fckeditor\editor\filemanager\connectors\test.html (other localization in older releases) that could be used to uploading files by anoynoums person. I think this file was used for testing, but it should be removed in version to download. It's deeply hidden in file structure and could be forgotten. I found this situation in real life. One of my clients suffered from hacker attack made by this file.

Change History (1)

comment:1 Changed 11 years ago by Alfonso Martínez de Lizarrondo

Keywords: security removed
Milestone: FCKeditor 2.6.4
Resolution: invalid
Status: newclosed

No, that file doesn't mean any security problem.

All that it does is allow to test the features and check that the connector is working as expected. An attacker doesn't really need that file, they can send the data directly to the connector and do just the same things.

In the config file it does state clearly that you must be sure that the connector is enabled ONLY if the user has authenticated previously, so if your user has suffered any attack is due to lack of following the basic security steps:

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//		authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = false ;

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy