0

我在一个drupal 6网站上运行FCKEDITOR 6.x-2.3,一群黑客团队努力查看网站上是否存在任何安全问题,他们发现了FCKEDITOR的一些漏洞,匿名用户可以使用一些上传器将文件上传到服务器像这样一个服务器。

对于匿名用户,我可以访问以下目录:

站点/所有/模块/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html

站点/所有/模块/fckeditor/fckeditor/editor/filemanager/browser/default/frmupload.html

上传我的上传文件。有没有办法解决它?或者我应该忘记使用 FCKEDITOR 或任何其他所见即所得的编辑器?

4

1 回答 1

1

You can update your FCKEditor module (check: http://drupal.org/node/1482442)

Or, you can use CKEditor instead of FCKEDITOR. See: http://drupal.org/project/ckeditor

I have faced similar security issue using CKEditor. And I have following the below steps:

Here is the process to update ckeditor and ckfinder:

  1. Update CKeditor version 6.x—1.13
  2. Download CK Finder latest version 2.3
  3. Unzip the ckfinder in sites/all/module/contrib/ckeditor/ckfinder
  4. Open /all/module/contrib/ckeditor/ckfinder/config.php

  5. Comment out the CheckAuthentication() function enter image description here

  6. Add the below two lines enter image description here

  7. $baseUrl may differ depends on products.

  8. Open /contrib/ckeditor/ckfinder/config.js

  9. add the below lines: enter image description here

  10. Note: I would like to request all to prepare a set of allowed and denied extensions enter image description here

One more additional issue: Add cookie_domain in sites/default/settings.php file.

于 2013-03-29T08:19:58.950 回答