Hello
We have recently come across a security issue with using KCFinder image uploader which was integrated to CkEditor. The KCFinder was used to upload images into product descriptions when being edited in CKeditor. Essentially the KCFinder file "browser.php" could be accessed by anyone online and allowed the uploading of files to a website. The addon has now been disabled.
After investigating further I found this notation online re KCFinder.
Mandatory security measure: Open "kcfinder/config.php" and make sure "disabled" is true. If it's false, ANYONE will be able to access KCFinder and upload files.
We learned the hard way on that one. So in posting this info we hope no one else will have the same issue.
Question:
What can we use which is secure with CKEditor to allow us to upload images into our product descriptions? We are using OSCOM 2.3.
Any feedback is much appreciated.