Secure El-Finder files access in ZF2 project

El-Finder is a good file manager plugin which can be used with TinyMCE or CKEditor.

This plugin has a vulnerability of accessing server side files for non authorized users.

El-Finder screenshot

My solution

To secure the access to server files for non authorized users, add the following lines to the file elfinder/php/connector.php

<?php
require __DIR__ . '/../../../../vendor/autoload.php';

$sessionConfig  = new \Zend\Session\Config\SessionConfig();
$sessionManager = new \Zend\Session\SessionManager($sessionConfig);

$sessionManager->start();

if (! isset($_SESSION['Admin_Auth']) || null === $_SESSION['Admin_Auth']) {
  echo json_encode(array(
    'error' => 'errAccess',
  ));

  exit();
}

Now when accessing the elfinder.html url, you'll get an error message:

elfinder access error message