Hello.
A friend of mine succesfully installed FCKedit on his php site.
The main problem is once you get the link to the ressource browser with connector, you can use this link to upload files or image to the server userfile repository, even if you are not registered on the site.
This could allow a misintentioned user to fill disk space or browse registered users data.
I am quite newbee to php, so could you give me some guidance on how to do that, or even point me to ressources that could give some information on how to restrict access, or to put some quotas on userfiles repository?
Thanks.
A friend of mine succesfully installed FCKedit on his php site.
The main problem is once you get the link to the ressource browser with connector, you can use this link to upload files or image to the server userfile repository, even if you are not registered on the site.
This could allow a misintentioned user to fill disk space or browse registered users data.
I am quite newbee to php, so could you give me some guidance on how to do that, or even point me to ressources that could give some information on how to restrict access, or to put some quotas on userfiles repository?
Thanks.
RE: Ressource browser protection
is this a bespoke site? or one using a CMS? or what?
RE: Ressource browser protection
The site is Php based (php nuke).
Only registered users can add content to most of the modules. e.g: forum, chat.
FCKedit has been added to allow users to build reports easily on the website.
The problem is that ressource browser from fsckeditor is javascript.
If you know the path to the app and where the php connector is (a misintentioned user can give check the link when using the ressource browser from fckeditor), then you can launch it and upload as many files as you want, and even browse the userfiles.
Of course you cannot add data to the SQL db.
But you can upload files to the repository.
This is why I am asking if there is a way to prevent that.
Maybe in php connector configuration?
RE: Ressource browser protection
Yes. Enable it only if the user has already authenticated himself.
RE: Ressource browser protection
Could you briefly tell me how to do that? I will then digg it by myself?
Is it trough the main php file or?
RE: Ressource browser protection
// SECURITY: You must explicitelly enable this "uploader".
$Config['Enabled'] = false ;
instead of just setting it to true you must do a session check or put a .htaccess file to protect those folders.