Completely disable the FCKeditor upload function (including preventing Type vulnerabilities)

In the line editor, FCKeditor is the best editor I have ever used and the best editor on the Internet. It has powerful functions and supports multiple browsers,
No platform restrictions, can be integrated with a variety of Web languages, multi-language support, but also supports open source! ^-^
But it is indeed too powerful! So that they can be easily used by people with ulterior motives.
For example, if you do not want to disable the file upload function, see the following content.
Http://www.cnblogs.com/WoodFish/archive/2008/05/11/1192304.html
The transcript is as follows:

The environment is described in Asp.net development. The steps are as follows:
1. Get files
We can
And DLL files, we copy the DLL to the bin directory and add the DLL to the toolbox for ease of use. The other is FCKeditor 2.6, which contains FCKeditor
Script files, styles, languages, and other miscellaneous of FCKeditor. We can streamline it and copy it to the Web root directory.

2. Simplified FCKeditor
FCKeditor supports multiple web languages. We can simplify the language we use, delete unused files, decompress fckeditor_2.6, and enter
In the FCKeditor folder, delete all the folders starting with "_". These folders contain examples or other tools. In fact, it is reserved only.
The Editor folder, fckconfig. JS, FCKeditor. JS, fckstyles. XML, and fcktemplates. XML can be simplified at the outermost layer.
Go to the Editor folder and delete the "_ source" folder first. Here are some source files, which are useless for use. Go to the Lang folder.
Is the editor language outsourcing files, only keep the zh-cn.js, en. JS, Zh. js these files, the meaning of these files I want everyone to know. Of course, if you need other
The language can also be left.

Go to the skin folder. This is the editor's skin. If you want to use the FCKeditor's default milk yellow color, consider it if you want to use something else. Office2003
The skin is pretty, I heard that loading speed is relatively slow, you can also choose the silver, it is better color, speed is also fast.
In the last step of streamlining, exit the skin folder, go to filemanager, go to the connectors directory, keep the aspx directory, and delete all others.
Now it looks pleasing to the eye!

3. Configure the editor,
You cannot correctly run the editor control by dragging it to the webpage. You must configure it. The first configuration file is fckconfig. JS, which is located in the root directory of FCKeditor.
. Modifications include:
Fckconfig. skinpath = fckconfig. basepath + 'Skins/silver/'; (skin)
Fckconfig. autodetectlanguage = true; (automatic language detection)
Fckconfig. defaultlanguage = 'zh-cn'; (Simplified Chinese by default)
Select Aspx.
VaR _ filebrowserlanguage = 'aspx '; // ASP | aspx | CFM | lasso | Perl | PHP | py (used to browse and upload files)
VaR _ quickuploadlanguage = 'aspx '; // ASP | aspx | CFM | lasso | Perl | PHP | py (used to upload files)
If you want to set the editor's browsing functions, such as browsing images and flash, to set the upload function, and uploading parts and Flash files, you can set it to enable or disable, and true to enable

False.
Fckconfig. linkbrowser = true;
Fckconfig. imagebrowser = true;
Fckconfig. flashbrowser = true;
Fckconfig. linkupload = true;
Fckconfig. imageupload = true;
Fckconfig. flashupload = true;

if your editor is still used at the front-end of the website, for example, for message book or diary reply, you have to consider security. Do not use the default toolbar on the front-end.
, you can either customize the function or use the basic defined by the system to disable other dangerous functions such as file upload. Of course, you can also customize it. Select
A function suitable for you. As for how to choose, you can compare it with fckconfig. fckconfig. toolbarsets ["default"], fckconfig. toolbarsets
["Basic"] configuration should be easier. No need to explain!

4. File Upload Settings
when uploading a file, we want to upload the file to the specified directory, only Authenticated Users can upload files.
In the filemanager \ connectors \ aspx directory. to prevent unauthenticated users from uploading trojan files, you can
Add the current user authentication in the checkauthentication () method, return "true". In the setconfig () method, you can set "userfilespath" to indicate
the path for saving the uploaded file. The uploaded files can be automatically saved to the corresponding directory by directory, such as file, image, Flash, and media. The configured structure is as follows
userfilespath = "~ /Upload/", in the upload directory under the Web root directory.
~ /Upload
|-file
|-image
|-flash
|-media



In addition, A type vulnerability exists during upload.

The address for the upload vulnerability is: Http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = All & connector = connectors/aspx/connector. aspx Open this address to upload any types of files. The location where the horse uploads files is: Http://www.xxx.com/UserFiles/all/1.asa The variable "type = all" is defined by yourself. The directory "all" is created here, and the new directory does not have any restrictions on the file format to be uploaded. For example, input: Http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = monyer & connector = connectors/aspx/connector. aspx The passed file is under the http://www.xxx.com/UserFiles/monyer/. And if you enter: http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = ../& connector = connectors/aspx/connector. aspx You can upload the script to the root directory of the website. The uploaded file is under the root directory of the website.

Solution: Delete "FCKeditor \ editor \ filemanager"