We would like to announce an immediate release of CKFinder for ASP.NET 18.104.22.168 which contains a critical security fix. An upgrade is highly recommended!
We have been contacted yesterday (June, 8th) by Tornike Gelashvili, CTO of Helix Group regarding an issue discovered during penetration tests. After confirming the issue, a security fix has been developed in order to provide the fix to the general public as soon as possible. The application was also checked to confirm that it was the only place affected.
Due to insufficient checks in the ASP.NET connector, an authenticated user using the built-in DownloadFile command could download any file from the server (with an extension allowed in defined resource types, as well as without any extension), when providing an absolute path to the file.
- Severity: Critical
- Versions affected: CKFinder for ASP.NET <= 2.5.0
We would like to thank Tornike and his team for their submission and strongly recommend everyone to upgrade.
See the whatsnew page for a list of changes.
Visit the support page for an information about available support options.