#1868: File browser may be blocked because of possible "Path traversal" attack
--------------------------+-------------------------------------------------
Reporter: wwalc | Owner:
Type: New Feature | Status: new
Priority: Normal | Milestone:
Component: File Browser | Version:
Keywords: |
--------------------------+-------------------------------------------------
In Apache, mod_security is usually installed (http://www.modsecurity.org/)
- it is commonly used to detect and prevent against possible attacks.
Quick example from official mod_security site
(http://www.modsecurity.org/documentation/quick-examples.html):
{{{
# Prevent path traversal (..) attacks
SecFilter "\.\./"
}}}
Similar rule is available in a "Apache 2.x rules" at
http://www.gotroot.com/:
{{{
##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)"
"chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision si
}}}
The problem is that ../.. is used by FCKeditor:
{{{
http://www.fckeditor.net/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php
}}}
so it may be blocked in rare cases.
We should avoid passing ".." in urls.
--
Ticket URL: <http://dev.fckeditor.net/ticket/1868>
FCKeditor <http://www.fckeditor.net>
The text editor for Internet
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
FCKeditor-Trac mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fckeditor-trac
