FCKEDITOR security issue
I run FCKEDITOR 6.x-2.3 on a drupal 6 website, a bunch of hacker team worked to see if there is any security issue on website and they found some vulnerabilities with FCKEDITOR, an anonymous user can upload files to the server using some uploader like this one to the server.
for an anonymouse user I can access direcotries such as:
sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html
sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/frmupload.html
to upload my uploader file. is there a way to fix it? or I should forget about using FCKEDITOR or any other wysiwyg editors?
You can update your FCKEditor module (check: http://drupal.org/node/1482442)
Or, you can use CKEditor instead of FCKEDITOR. See: http://drupal.org/project/ckeditor
I have faced similar security issue using CKEditor. And I have following the below steps:
Here is the process to update ckeditor and ckfinder:
- Update CKeditor version 6.x—1.13
- Download CK Finder latest version 2.3
- Unzip the ckfinder in sites/all/module/contrib/ckeditor/ckfinder
- Open /all/module/contrib/ckeditor/ckfinder/config.php
Comment out the CheckAuthentication() function
Add the below two lines
$baseUrl may differ depends on products.
- Open /contrib/ckeditor/ckfinder/config.js
add the below lines:
Note: I would like to request all to prepare a set of allowed and denied extensions
One more additional issue: Add cookie_domain in sites/default/settings.php file.
- Is it safe to use the `Function` constructor to validate JavaScript syntax?
- How to build a url with path components in Python securely
- When to use NSSecureCoding
- How to securely allow Github Actions to check PR and post results in comment
- Where is the PEM file format specified?
- How to best validate JSON on the server-side
- Sizeof vs array size
- How to make copilot not leak secret credentials with Neovim plugin?
- Does the client knowing all the endpoint names pose a security risk?
- Securing a client-side API
- How to disable security in Quarkus
- SNC name of ABAP System
- Is MD5 a good way to generate account verification code
- Is there any relationship between Secure Boot and Kernel Lockdown?
- CryptographicException: Access denied - How to give access on User store?
- How to use an API from my mobile app without someone stealing the token
- Symfony security component - Unable to find key \"username\" in the token payload
- Is it a good praxis to secure an webservice endpoint with a simple token string?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- Are there CSRF attacks that don't use cookies?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- vulnerable Tomcat 10.1.31 embedded in Artifactory 7.98.13
- Why CSRF token should be in meta tag and in cookie?
- How can I prevent SQL injection in PHP?
- How/why is login page redirect required?
- Do Electron apps enforce CORS restrictions in the renderer process?
- How can i use a reverse shell over global Internet?
- Should I Manually Patch the Pandas DataFrame.query() Vulnerability or Wait for an Official Update?
- C# - Securely storing a password locally
- how to secure keys for API calls from android device to amazon services