ZP1.4.4 : always Cross Site Request Forgery blocked

binoyte

On the admin Upload>files tab, Ajaxfilemanager don't show me anything were permissions are correct. And also I've always
`"ajaxfilemanager" Cross Site Request Forgery blocked.`

Why ?

binoyte

On the admin Upload>files tab, AjaxFileManager (AFM) lists correctly the content of my UPLOADED root folder.

But :
- If I click on the AFM refresh button, AFM doesn't list anything at all.
- If I click on a file, I don't have any preview but a smart 404 : Album: zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/uploaded/picture.jpg doesn't exist !
- If I click on a folder, I have a "Cross Site Request Forgery blocked" warning.

What's wrong ?

sbillard

The ajax manager is not working correctly. You should file an issue on this. Unfortunately this probably has something to do with the extra security we have had to apply to the filemanager because the developer has not implemented it himself. It may not be possible for anyone but the developer to fix this.

Specifically, the ajax filemanager as it comes from its developer has absolutly no protection for cross site reference forgeries. We have reported this to him, but he seems to be ignoring the issue.

We have put a wrapper around the use made in Zenphoto, but those buttons do not go through that wrapper.

You might also wish to comment to the author www.phpletter.com about this security breach in his product.