Contrib.social

Accessing URL to script filemanager.config.php creates a file system inside the includes directory

Open on Drupal.org β†’
Created on 22 June 2022, over 2 years ago
Updated 29 March 2023, over 1 year ago

I've noticed what looks as attack attempts in my logs recently:
Bots access URL https://example.com/sites/all/modules/ckeditor/includes/filemanager.config.php

This leads to 2 problems:

  • A PHP error in logs Error : Call to undefined function resolveUrl() in main() (line 104 in /[...]/sites/all/modules/ckeditor/includes/filemanager.config.php).
  • A critical one: a full "sites" directory structure is created inside the includes directory.

I don't use CKFinder so I should not get any of these.

Anyway, this filemanager.config.php script looks very dangerous to me.

πŸ› Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

πŸ‡«πŸ‡·France anrikun

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    I can confirm this behavior. We saw similar attempts today.

    If someone visits sites/all/modules/ckeditor/includes/filemanager.config.php (simple GET or POST request), it will create a sites/all/modules/ckeditor/includes/sites/default/files directory with .htaccess and css and js folders (because of the subsequent error).

    It is because Drupal is bootstrapped from the /sites/all/modules/ckeditor/includes directory and the $base_path is set to /sites/all/modules/ckeditor/includes (by $_SERVER['SCRIPT_NAME']), see drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); --> drupal_settings_initialize();:

        // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
    // be modified by a visitor.
    if ($dir = rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/')) {
      $base_path = $dir;
      $base_url .= $base_path;
      $base_path .= '/';
    }
    else {
      $base_path = '/';
    }

    We should probably check if the resolveUrl() function exists. See the proposed patch.

  • Comment over 1 year ago β†’
    πŸ‡«πŸ‡·France jim005

    We encountered the same problem when a bot ran over this file. In addition, all our CSS / JS aggregate become empty, so website were full buggy.

    To fix this issue quickly we went to admin/config/development/performance and we disabled :
    - Aggregate and compress CSS files.
    - Aggregate JavaScript files.
    then Clear Cache.

    Thanks for this patch, it's should be reviewed quickly.

  • Comment over 1 year ago β†’
    System Message
    • vokiel β†’ committed 3013af45 on 7.x-1.x 
      Issue #3291905 by poker10: Accessing URL to script filemanager.config....
  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡΅πŸ‡±Poland vokiel Poland
  • Comment over 1 year ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024