El-Finder is a good file manager plugin which can be used with TinyMCE or CKEditor.
This plugin has a vulnerability of accessing server side files for non authorized users.
My solution
To secure the access to server files for non authorized users, add the following lines to the file elfinder/php/connector.php
<?php
require __DIR__ . '/../../../../vendor/autoload.php';
$sessionConfig = new \Zend\Session\Config\SessionConfig();
$sessionManager = new \Zend\Session\SessionManager($sessionConfig);
$sessionManager->start();
if (! isset($_SESSION['Admin_Auth']) || null === $_SESSION['Admin_Auth']) {
echo json_encode(array(
'error' => 'errAccess',
));
exit();
}Now when accessing the elfinder.html url, you'll get an error message:
