Question

I run FCKEDITOR 6.x-2.3 on a drupal 6 website, a bunch of hacker team worked to see if there is any security issue on website and they found some vulnerabilities with FCKEDITOR, an anonymous user can upload files to the server using some uploader like this one to the server.

for an anonymouse user I can access direcotries such as:

sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html

sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/frmupload.html

to upload my uploader file. is there a way to fix it? or I should forget about using FCKEDITOR or any other wysiwyg editors?

Was it helpful?

Solution

You can update your FCKEditor module (check: http://drupal.org/node/1482442)

Or, you can use CKEditor instead of FCKEDITOR. See: http://drupal.org/project/ckeditor

I have faced similar security issue using CKEditor. And I have following the below steps:

Here is the process to update ckeditor and ckfinder:

  1. Update CKeditor version 6.x—1.13
  2. Download CK Finder latest version 2.3
  3. Unzip the ckfinder in sites/all/module/contrib/ckeditor/ckfinder
  4. Open /all/module/contrib/ckeditor/ckfinder/config.php

  5. Comment out the CheckAuthentication() function enter image description here

  6. Add the below two lines enter image description here

  7. $baseUrl may differ depends on products.

  8. Open /contrib/ckeditor/ckfinder/config.js

  9. add the below lines: enter image description here

  10. Note: I would like to request all to prepare a set of allowed and denied extensions enter image description here

One more additional issue: Add cookie_domain in sites/default/settings.php file.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top