CKFinder for ASP.NET 2.5.0.1 with a Security Patch Released

Posted by Wiktor on Releases
Wiktor photo

We would like to announce an immediate release of CKFinder for ASP.NET 2.5.0.1 which contains a critical security fix. An upgrade is highly recommended!

We have been contacted yesterday (June, 8th) by Tornike Gelashvili, CTO of Helix Group regarding an issue discovered during penetration tests. After confirming the issue, a security fix has been developed in order to provide the fix to the general public as soon as possible. The application was also checked to confirm that it was the only place affected.

Issue Description

Due to insufficient checks in the ASP.NET connector, an authenticated user using the built-in DownloadFile command could download any file from the server (with an extension allowed in defined resource types, as well as without any extension), when providing an absolute path to the file.

  • Severity: Critical
  • Versions affected: CKFinder for ASP.NET <= 2.5.0

We would like to thank Tornike and his team for their submission and strongly recommend everyone to upgrade.

Changelog

See the whatsnew page for a list of changes.

Download

Download CKFinder now!

Support

Visit the support page for an information about available support options.

Enter the Discussion and Post Your Comment

Post a comment