CKEditor 4
Sun, 03/07/2010 - 23:52
#1
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Can't Prevent Uploads

I am having a hard time getting it to work correctly with my websites (built using osCommerce). I have searched the forums and google for the past 3 days and I can't find a solution. I've been able to get it to work. My problem is that I am not able to block anyone from uploading directly to: mysite/admin/ckfinder/ckfinder.html

My config.php looks like this:
<?php

session_start();

function CheckAuthentication()
{
   if(!isset($_SESSION['osCAdminID']))
      return true;
      else
      return false;
}

// LicenseKey : Paste your license key here. If left blank, CKFinder will be fully functional, in demo mode.
$config['LicenseName'] = '';
$config['LicenseKey'] = '';

$baseUrl = '/ckfinder/userfiles/';

$baseDir = resolveUrl($baseUrl);

$config['Thumbnails'] = Array(
      'url' => $baseUrl . '_thumbs',
      'directory' => $baseDir . '_thumbs',
      'enabled' => true,
      'directAccess' => false,
      'maxWidth' => 100,
      'maxHeight' => 100,
      'bmpSupported' => false,
      'quality' => 80);

$config['Images'] = Array(
      'maxWidth' => 1600,
      'maxHeight' => 1200,
      'quality' => 80);

$config['RoleSessionVar'] = 'CKFinder_UserRole';

$config['AccessControl'][] = Array(
      'role' => '*',
      'resourceType' => '*',
      'folder' => '/',

      'folderView' => true,
      'folderCreate' => true,
      'folderRename' => true,
      'folderDelete' => true,

      'fileView' => true,
      'fileUpload' => true,
      'fileRename' => true,
      'fileDelete' => true);

$config['DefaultResourceTypes'] = '';

$config['ResourceType'][] = Array(
      'name' => 'Files',            // Single quotes not allowed
      'url' => $baseUrl . 'files',
      'directory' => $baseDir . 'files',
      'maxSize' => 0,
      'allowedExtensions' => '7z,aiff,asf,avi,bmp,csv,doc,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pxd,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,zip',
      'deniedExtensions' => '');

$config['ResourceType'][] = Array(
      'name' => 'Images',
      'url' => $baseUrl . 'images',
      'directory' => $baseDir . 'images',
      'maxSize' => 0,
      'allowedExtensions' => 'bmp,gif,jpeg,jpg,png',
      'deniedExtensions' => '');

$config['ResourceType'][] = Array(
      'name' => 'Flash',
      'url' => $baseUrl . 'flash',
      'directory' => $baseDir . 'flash',
      'maxSize' => 0,
      'allowedExtensions' => 'swf,flv',
      'deniedExtensions' => '');

$config['CheckDoubleExtension'] = true;
$config['FilesystemEncoding'] = 'UTF-8';
$config['SecureImageUploads'] = true;
$config['CheckSizeAfterScaling'] = true;
$config['HtmlExtensions'] = array('html', 'htm', 'xml', 'js');
$config['HideFolders'] = Array(".svn", "CVS");
$config['HideFiles'] = Array(".*");
$config['ChmodFiles'] = 0755 ;
$config['ChmodFolders'] = 0755 ;
$config['ForceAscii'] = false;


Can anyone help me with this?
Top
Mon, 03/08/2010 - 08:36
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: Can't Prevent Uploads

I think that you have reverted the check. Try this:
function CheckAuthentication()
{
   if(isset($_SESSION['osCAdminID']))
      return true;
      else
      return false;
}


(removed the !)
Top
Mon, 03/08/2010 - 16:37
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Re: Can't Prevent Uploads

Thank you for your response. Removing the ! gives me the security message:
The file browser is disabled for security reasons. Please contact your system administrator and check the CKFinder configuration file.

Of course, that leads me to believe that what I have isn't going to work. I'm now starting to wonder how/where this even looks for the osCAdminID in the first place. I'm really quite lost here. I know that Joomla and Drupal both have much more complicated CheckAuthentication functions that call upon their configuration files and, I'm guessing, their databases. I'm thinking I may end up having to do the same thing, but I really have no idea how to do that.
Top
Mon, 03/08/2010 - 16:58
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: Can't Prevent Uploads

Sorry, I don't know anything about how osCommerce works. It might depend on the version, but I don't think that it will be too complex.
Just create a simple .php page that outputs the $_SESSION['osCAdminID']) and when you manage to get that (or the correct variable name) then you are almost done.
Top
Mon, 03/08/2010 - 21:39
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Re: Can't Prevent Uploads

Thank you, again, for your reply. I'm pretty new to php, so I have no idea what that means. However, your advice was very helpful since it pointed me towards other options. I probably ended up doing a lot more work than you suggested. I ended up requiring the admin login directly on the ckfinder.html page. So, if someone tries to go directly to that page, it will ask them to login.

Do you think that is secure enough?
Top
Fri, 03/12/2010 - 21:53
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Re: Can't Prevent Uploads

I just wanted to double check that the script is still secure from hackers by doing it the way that I did. If not, would you mind helping me with that? I just purchased the CKFinder Corporate Web Sites License from you guys and I wanted to get this working the proper way before I go and make changes to all of my websites.

Thanks.
Top
Fri, 03/12/2010 - 22:52
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: Can't Prevent Uploads

As I said, I'm sorry but I know very little PHP and less about osCommerce, so I can't be of any help to answer that kind of questions. I shouldn't even have answered the original question.
Top
Fri, 03/12/2010 - 23:17
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Re: Can't Prevent Uploads

That's ok... I'll look into that further on my own. I appreciate you taking the time to reply about it anyway as it did help me in the end.

Perhaps I can get your help on something else? I should have posted this in this area, I believe I posted it in the wrong board by mistake. I'll just paste my other question here:

I have 2 questions. I have integrated ckfinder with ckeditor.

First, when right-click on an image in my CKFinder, I see the options: View, Download, Rename, & Delete. How do I get the Select to show up so that I can get the image into my ckeditor?

My second question is about the folders I have in CKFinder. On my website, I have my website images in the images folder and my website's design images in my design folder. Is there a way to get both of these folders to show in CKFinder without getting all of the other folders/files in my root to show?
Top
Fri, 03/12/2010 - 23:24
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: Can't Prevent Uploads

I would prefer to let Wiktor reply these questions because I can say something that it's not the proper way to do it in PHP. Be a little patient and he will be able to help you much better than I can.
Top
Mon, 03/22/2010 - 13:52
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Can't Prevent Uploads

Apologies for late reply.

Unfortunately I have no idea what session variables is osCommerce using, but as Alfonso wrote, it might be a definitely good idea to print all session variables in a separate script to see:
- what session variables are available when user is logged in
- whether you're able to easily access osCommerce session varialbles (some PHP applications need a bit more complicated code than just session_start to be able to access their session variables)

To do this, simply create a simple file with this code:

<?php
session_start();
print_r($_SESSION);

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Mon, 03/22/2010 - 19:08
huggys
huggys's picture
Joined: 07/03/2010
Posts: 10

Re: Can't Prevent Uploads

Thank you for the reply.

I figured out why the select wasn't showing up. It was because I turned the ckfinder.html file into a php page. Now, why turning an html page into a php page prevents me from seeing the select and select thumbnail, I can't imagine.

The reason why I changed it was so that I could place the php code to force a user to login to use ckfinder.

So, I've turned it back into html again and everything is working as it should. The problem now, of course, is that anyone can access that page since I still haven't figured out how to get the CheckAuthentication to work properly for my site.

For the session variables, if I enter
<?php
session_start();
print_r($_SESSION);

Into a blank file, I get a blank response. If I enter it into one of my pages that force a user to login, I get this:
Array ( [language] => english [languages_id] => 1 [selected_box] => configuration [admin] => Array ( [id] => 3 [username] => demo ) )

Of course, knowing that really doesn't help me since I still can't figure out how to use that information. I don't see how/where ckfinder uses the variable or sees if a user is logged in.

Could you please help me?
Top
Wed, 08/15/2012 - 19:22
perplex
perplex's picture
Joined: 21/02/2011
Posts: 5

Re: Can't Prevent Uploads

Hey, did you guys ever figure this out? This might help but I can get this to work; http://www.parorrey.com/blog/oscommerce ... rce-store/

Top
Fri, 11/16/2012 - 04:19
okstmtcc
okstmtcc's picture
Joined: 16/11/2012
Posts: 1

Re: Can't Prevent Uploads

Had anyone figure this out? Cannot get the admin session to do authentication on the ckfinder page, hacker can upload files through there :(

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check