galaxian Posted November 7, 2013 Posted November 7, 2013 Hello We have recently come across a security issue with using KCFinder image uploader which was integrated to CkEditor. The KCFinder was used to upload images into product descriptions when being edited in CKeditor. Essentially the KCFinder file "browser.php" could be accessed by anyone online and allowed the uploading of files to a website. The addon has now been disabled. After investigating further I found this notation online re KCFinder. Mandatory security measure: Open "kcfinder/config.php" and make sure "disabled" is true. If it's false, ANYONE will be able to access KCFinder and upload files. We learned the hard way on that one. So in posting this info we hope no one else will have the same issue. Question: What can we use which is secure with CKEditor to allow us to upload images into our product descriptions? We are using OSCOM 2.3. Any feedback is much appreciated. Quote
♥joli1811 Posted November 7, 2013 Posted November 7, 2013 I personally just upload my images by ftp Filezilla to the images directory and click the small image button in ckeditor and give the image address in yoursite.com/images/any_image.jpg Regards Joli Quote To improve is to change; to be perfect is to change often.
galaxian Posted November 7, 2013 Author Posted November 7, 2013 Thank you for the feed back. Yes that is a solution but just adds a bit more time to the process. I was hoping there may be an secure solution out there. Quote
♥joli1811 Posted November 7, 2013 Posted November 7, 2013 Well was at the plug in section yesterday from ckeditor and do seem to remember reading something about image uploaders but can not remember. Have another look there I was also there just to see about allowing image upload to the front of the site with security in mind. Haven't had time to study Quote To improve is to change; to be perfect is to change often.
Piemol Posted November 21, 2013 Posted November 21, 2013 (edited) Well to be honest I stumbled upon this problem this week and made a solution... At the bottom of '/admin/includes/application_top.php' you add the session variables to make KCFinder enable the upload functionality. So only logged in admin users can use the upload functionalit: /* Enable KCFinder, the filemanager in TinyMCE */ $_SESSION['KCFINDER'] = array(); $_SESSION['KCFINDER']['disabled'] = false; In the /kcfinder/core/autoload.php I added to the top of the file: // BOF: Added to work with session handling of osCommerce: set_include_path('../'); include('../includes/application_top.php'); set_include_path(dirname(__FILE__)); // EOF: Added to work with session handling of osCommerce: Just change the include path to the path where your admin/includes/application_top.php file is. The path I used works when KCfinder is an direct subfolder of the admin. Now it is secure ! (I hope at least :) ) Edited November 21, 2013 by Piemol Quote
♥joli1811 Posted November 21, 2013 Posted November 21, 2013 Hi Leo, security issue confirmed with KCfinder now going to try your fix Thanks for the info :thumbsup: Regards Joli Quote To improve is to change; to be perfect is to change often.
♥joli1811 Posted December 27, 2013 Posted December 27, 2013 Hi Leo, Works good seems secure now good catch . Regards Joli Quote To improve is to change; to be perfect is to change often.
CGhoST Posted January 20, 2014 Posted January 20, 2014 I installed this contribution and I seem to be getting the following error: Warning: include(../includes/application_top.php): failed to open stream: No such file or directory in c:\htdocs\website\catalog\admin\ext\kcfinder\core\autoload.php on line 25 Warning: include(): Failed opening '../includes/application_top.php' for inclusion (include_path='../') in c:\htdocs\website\catalog\admin\ext\kcfinder\core\autoload.php on line 25 I have changed all the configuration files to direct to admin/ext/kcfinder. Any help is much appreciated. Quote
♥joli1811 Posted January 20, 2014 Posted January 20, 2014 (edited) Hi Ghost Kcfinder should be installed in admin/kcfinder/ and ckeditor in admin/ext/ckeditor try moving the kcfinder up a level just beside the includes directory Regards Joli Edited January 20, 2014 by joli1811 Quote To improve is to change; to be perfect is to change often.
CGhoST Posted January 20, 2014 Posted January 20, 2014 is there a way of installing it in admin/ext please? If not then ok but i would like it in admin/ext if possible please. Quote
♥joli1811 Posted January 21, 2014 Posted January 21, 2014 HI Ghost, Quite sure it is possible you would need to go to the website there is documentation included with the package with a link if you follow you can read the different config settings and see the path changes you would need to make you would also need to change the security fix paths as these are for a standard install.with kcfinder at top level. about 4 - 6 paths would need to be changed and tested. Regards Joli Regards Joli Quote To improve is to change; to be perfect is to change often.
CGhoST Posted January 21, 2014 Posted January 21, 2014 Finally found the solution. Thank you for all your help. Appreciate it. Quote
jeu4328 Posted January 27, 2014 Posted January 27, 2014 (edited) Hello :) I've installed ckeditor in my admin/ext folder and kcfinder in admin folder, but when working within my admin file, and I try to add an image, I click on the Browse Server button and a new Administrator Login page pops up. I log in, try to add a pic through ckeditor and when I click on the Browse Server button the same thing happens again. It appears that I am experiencing some sort of 'groundhog day' loop :P .Does anyone have any idea what could be causing this, and what I can do to correct it?In the meantime, I AM able to add pictures by typing in my http://mywebsite.com/images/picname.jpg ... but I'm wondering what could be causing this issue.Thank you,Jewell Edited January 27, 2014 by jeu4328 Quote
jeu4328 Posted February 1, 2014 Posted February 1, 2014 Please disregard previous plea. I've re-installed, and it is working :) Thank you, Jewell Quote
ndiggity Posted February 15, 2014 Posted February 15, 2014 Thank you very much for supporting this contribution! I use the CKEditor all the time and just installed the updated version with the KCFinder. I have a question about the security update. Specifically, what is the purpose of set_include_path('../'); and set_include_path(dirname(__FILE__));? I looked them up and understand what they do but I don't quite understand why they are used in /kcfinder/core/autoload.php (below). Are the relevant to the security update or just used depending on your file structure? // BOF: Added to work with session handling of osCommerce: set_include_path('../'); include('../includes/application_top.php'); set_include_path(dirname(__FILE__)); // EOF: Added to work with session handling of osCommerce: Both are causing errors lower in the file for me (i.e. line 64 require "core/uploader.php";). The location of autoload.php on my site is catalog/admin/kcfinder/core/autoload.php. If I comment them out then everything seems to work fine. If either are active then the KCFinder doesn't work. I'm a bit of a novice when it comes to PHP... Are these lines required for the security update at all or are they just useful depending on your file structure? Thank you in advance! Quote
♥joli1811 Posted February 15, 2014 Posted February 15, 2014 (edited) Hi Nate, These lines are added to prevent access to the http://www.xxxxxxxx.com/admin/kcfinder/core/browser.php from anyone online just means that you have to be logged in to admin to access the files . What errors are you getting test if you can access the above file from your browser that is the security hole if you can access. Should be added after the first <?php <?php // BOF: Added to work with session handling of osCommerce: set_include_path('../'); include('../includes/application_top.php'); set_include_path(dirname(__FILE__)); // EOF: Added to work with session handling of osCommerce: Regards Joli Edited February 15, 2014 by joli1811 Quote To improve is to change; to be perfect is to change often.
ndiggity Posted February 15, 2014 Posted February 15, 2014 Hello Joli, Thank you for following up. I truly appreciate it! I've been tweaking autoload.php a bit and using the various error logs to understand where things are failing. It's been a bit of a learning experience! I'd like to run something past you... 1. As far as I can tell the set_include_path('../'); is useful for when autoload.php includes application_top.php in the next line of code include('../includes/application_top.php'); . I'm guessing this because If I comment out set_include_path('../'); then I get errors having to do with application_top.php and various files application_top.php calls. 2. After application_top.php has done it's thing with regard to sessions and such we need to set the include path back so that we don't have to change a bunch of other paths in autoload.php. I'm guessing that is the purpose of set_include_path(dirname(__FILE__)); For some reason I couldn't get KCFinder to work without commenting out these two lines (which screwed up the admin session stuff) or without modifying the paths of the other includes in autoload.php. Assuming 1 & 2 above is correct, I replaced set_include_path(dirname(__FILE__)); with restore_include_path(); such that this code block now looks like... // BOF: Added to work with session handling of osCommerce: set_include_path('../'); include('../includes/application_top.php'); restore_include_path(); // EOF: Added to work with session handling of osCommerce: KCFinder seems to be working fine now and I don't see any errors in the error logs. Also, I checked http://www.MYSITE.com/catalog/admin/kcfinder/core/browser.php as you mentioned above and it returns Forbidden (presumably because of the .htaccess file). I also checked http://www.MYSITE.com/catalog/admin/kcfinder (there is no .htaccess file here) and it required a login. Does all that sound correct as in that's the way its supposed to work? Thank you very much for the help! I really appreciate it! Quote
♥joli1811 Posted February 16, 2014 Posted February 16, 2014 Well is strange the security fix worked for me I have it running as it is on a few sites with no problems so maybe something to do with your setup/server/php version but the results you are getting are correct not much of a php expert myself if that works for you good the main thing is the access to the browser.php is blocked until you log in and no errors in your error log maybe someone else with a bit more knowledge would care to comment !!! When I first installed I seen that anyone online could actually access that file so including the admin/include/application_top.php seems to be the logical solution. Thanks for the update will be useful for anyone else experiencing similar problems. Regards Joli Quote To improve is to change; to be perfect is to change often.
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.