This is not a security vulnerability, because mentioned file manager:
- only works, when "root" user is logged-in in the Admin Console
- only allows to upload files with specified extensions
The WSYIWYG editor is used by In-Portal to allow entering of rich text in the CMS blocks and other places on website. It looks like this:
It also comes with File Manager component, but we've actually replicated it via In-Portal itself:
This is fine, but in In-Portal 5.2.x versions the FCKEditor was replaced by CKEditor (see
Error rendering macro 'jira' : Unable to locate Jira server for this macro. It may be due to Application Link configuration.
), but the File Browser wasn't removed and is still accessible.Solution
- locate all code, that executed while File Manager from "browser/browser" template is used in these classes:
FckTagProcessorFckEventHandlerfckFCKHelper
- delete above located code in case if it's not used anywhere (e.g. in CKFinder - file manager from CKEditor)
- delete the "/core/admin_templates/browser" folder (contains CSS and TPL files)