CKFinder 3.5.1 and 2.6.3 was released. CKFinder Ajax File Manager is an easy to use. Provide a folder tree structure (Folders tree) navigation menu, multi-language support (with automatic detection), support the creation / rename / delete files and folders, and integrated FCKeditor online editor.
Updated security guidelines
In some cases, uploading files (extension and no extension allowed) may cause XSS vulnerabilities:
- CKFinder configured to upload the file to a publicly accessible file folder
- When providing documents from the public folders, Web server does not send a response to all HTTP
X-Content-Type-Options: nosniffheaders
Under these conditions, a malicious user can not upload a file .html extension, the extension will be rendered by some browsers (such as conventional HTML file). This is because the content sniffing occur because some browsers have the original file contents that perform additional checks.
Related CVE: CVE-2019-15891
CKFinder 2.6.3
CKFinder 2.6.3 contains the application server side security fixes, we strongly recommend updating. CKFinder 2.6.3 security patch has been added to PHP, ASP.NET, ASP and ColdFusion server-side connector. Java version not affected.
Version 2.6.3 introduces a special type of extension (no_ext), which allows the server administrator to enable upload files without any extension.
The official recommendation is always to upload files as defined by the extensions allowed, and in accordance with guidelines set up a secure server configuration instructions.
Related CVE: CVE-2019-15862
CKFinder 3.5.1
In CKFinder 3, there is no extension will not be able to upload files. This feature was added in version 3.5.1, but in order to allow such documents, must be allowed or denied in the definition list of file extensions when using special no_ext extensions explicitly enabled.
Download: https://ckeditor.com/ckfinder/download/