Add password protect on file manager

  • Resolved poppydev

    (@poppydev)


    1 year, 1 month ago

    Hi Team,

    Great little plugin and helps when you need instant access to a sites backend. The only issue I have with this is how are you seeing the root directory without any form of FTP or Password? Surely the server wouldn’t allow this unless you had some kind of SSH access.

    Due to this concern is their any plans to add a password feature on the “file manager” folder link? This would add additional security if anyone decided to log into the site, or if it was hacked in any way.

    Also when you delete the plugin do you leave any trace behind on the database and if you do can you tell me what these folders are so that I can delete them manually to help protect the site after use.

    If you can add a password feature or some sort of security measure in place then I am happy to leave this plugin installed on the site.

    Thanks.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support alina98

    (@alina98)

    Hi @poppydev ,

    Thanks for reaching out!

    I will forward this as a feature suggestion to our dev team.

    Kind regards,
    Alina

    Plugin Support mialewp

    (@mialewp)

    Hi @poppydev,

    Good day!

    Filester uses the elFinder library for development, and as far as we know it has not supported this feature yet.

    We will implement this in the future if it’s possible.

    Best regards,

    Mia

    Thread Starter poppydev

    (@poppydev)

    Hi Mia,

    Knowing what you are using for your plugin, I have found a few “scary” security issues on gits repository….

    Version 2.1.49 (2019-04-14)

    at “www.cvedetails.com” search “elFinder”

    at “github.com” search “Studio-42/elFinder”

    CVE-2023-35840
    _joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector. In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.

    CVE-2022-27115
    In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.

    CVE-2022-26960
    connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

    CVE-2021-43421
    A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.

    CVE-2021-23394
    The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

    Can you also clarify these plugin patches have also been applied: https://github.com/Studio-42/elFinder/security

    Please can you clarify if you are going to investigate these vulnerabilities, and if you are confident they have been resolved/patched in the latest version?

    Thanks

    Plugin Support alina98

    (@alina98)

    Hi @poppydev,

    Please let me check with the dev and I will feed you back as soon as possible.

    Thank you!

    Kind regards,
    Alina

    Thread Starter poppydev

    (@poppydev)

    Hi alina98 any update on the above security issues and if they have been or are being patched?

    Thanks

    Plugin Support alina98

    (@alina98)

    Hi @poppydev,

    Thanks for your patience!

    We are checking and we will update the fix in the latest version.

    Kind regards,
    Alina

    Thread Starter poppydev

    (@poppydev)

    Hi alina98,

    Its been a month now since you last told me about fixing the plugin. I haven’t seen an update for the plugin in this time. Where are you at with all the fixes required? Just worried you are leaving hundreds, possibly thousands of peoples sites open to attacks for a simple fix.

    These kind of plugins shouldn’t be ignored when security is important.

    Please do update when you can.

    Thanks ??

    Plugin Support mialewp

    (@mialewp)

    Hi?@poppydev,

    Thanks for your patience.

    We will update the fixed version by early next week, when it’s done we will let you know. We are so sorry for any inconveniences.

    Best regards,

    Mia

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Add password protect on file manager’ is closed to new replies.

Tags