FCKeditor. Net_2.2 Security Correction

FCKeditor is an open-source multi-function online Web editor. Official Website: http://www.fckeditor.net /.
For security documents, see:
Use Fckeditor in. net http://cliffever.cnblogs.com/archive/2006/05/09/395134.aspx
FCKeditor combat skills http://www.jb51.net/html/200609/1206.htm
Http://www.lvjiyong.com/item/fckeditor-safe of FCKeditor security issues under asp.net


======================================
FCKeditor security question (only for. Net_2.2)

The format of the uploaded file is not strictly verified (only by the client ).
The FCKeditor directory does not have the authentication permission.
Excessive File Upload Vulnerability.


Solution:
You can view the modified FCKeditor. Net_2.2.
The FCKeditor directory under the site is configured for security. Only users with specified user roles can access the site.
Delete unnecessary upload files not used in the site. See instance testFCKeditor.

Modify FCKeditor. Net_2.2:
1. FileWorkerBase. cs adds the Upload File Extension verification function and attribute section.
The usage is similar to setting UserFilesPath.
Application ["FCKeditor: UploadDeniedExtensions"]
Session ["FCKeditor: UploadDeniedExtensions"]
System. Configuration. ConfigurationSettings. deleettings ["FCKeditor: UploadDeniedExtensions"]
For more information, see instance testFCKeditor.
The "FCKeditor: UserFilesPath" section of UserFilesPath attribute configuration can be set to "Virtual Site Directory" (similar to the modified BasePath setting ).
2. Uploader. cs
3. FileBrowserConnector. cs
The above two files are added to verify the upload file type.
4. The default attribute of the FCKeditor. cs file BasePath is "~ /FCKeditor /".

Note:
The FredCK. FCKeditorV2.dll accessory is a DotNet 2.0 accessory.
This modification is successfully debugged under ASP. NET 2.0.
Download this file