Test.html file could be a security issue

[jacekr]

In the newest version there is a file: fckeditor\editor\filemanager\connectors\test.html (other localization in older releases) that could be used to uploading files by anoynoums person. I think this file was used for testing, but it should be removed in version to download. It's deeply hidden in file structure and could be forgotten. I found this situation in real life. One of my clients suffered from hacker attack made by this file.

[Alfonso Martínez de Lizarrondo]

No, that file doesn't mean any security problem.

All that it does is allow to test the features and check that the connector is working as expected. An attacker doesn't really need that file, they can send the data directly to the connector and do just the same things.

In the config file it does state clearly that you must be sure that the connector is enabled ONLY if the user has authenticated previously, so if your user has suffered any attack is due to lack of following the basic security steps:

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//		authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = false ;