PDA

View Full Version : CKEditor [wyswyg]



michael_s
07-29-2011, 05:01 AM
There is a small bug related with security in filemanager config.php . If someone knows the url for filemanager (i.e. http://xxxxxxx/admin/ckeditor/filemanager/index.php?editor=ckeditor&filter=image&CKEditor=products_description[2]&CKEditorFuncNum=2&langCode=en), then he/she can view, delete, or change the files.

To fix that:

FIND:
if (!isset ($_SESSION ['osCAdminID']))
on line 29

CHANGE TO:
if (!isset ($_SESSION ['osCAdminID'])) exit;

More... (http://addons.oscommerce.com/info/7112)