Secure El-Finder files access in ZF2 project

El-Finder is a good file manager plugin which can be used with TinyMCE or CKEditor.

This plugin has a vulnerability of accessing server side files for non authorized users.

El-Finder screenshot

My solution

To secure the access to server files for non authorized users, add the following lines to the file elfinder/php/connector.php

require __DIR__ . '/../../../../vendor/autoload.php';

$sessionConfig  = new \Zend\Session\Config\SessionConfig();
$sessionManager = new \Zend\Session\SessionManager($sessionConfig);


if (! isset($_SESSION['Admin_Auth']) || null === $_SESSION['Admin_Auth']) {
  echo json_encode(array(
    'error' => 'errAccess',


Now when accessing the elfinder.html url, you'll get an error message:

elfinder access error message