Good day
One of my client websites uses a CMS that implements FCKEditor for content images upload. Problem is that you can access the fileuploader with relative ease even without logging in, thus uploading the files and whatnot. The website was hacked in this manner, uploading harmful files and thus gaining access to the virtual host.
Now, I know what the problem is. Configuration file of php connector has:
$Config['Enabled'] = true ;
Which makes it available for all. I have searched through the forums and Google, and already know that making authentication check there can make it secure. My problem is that I have no idea how. The CMS uses sessions to authenticate users, but these sessions aren't carried on to FCKEditor, and thus I have no idea how to actually authenticate the user when using FCKEditor. I tried a few random things that I could think of, but with no success. No SESSION data is carried on.
Forums keep talking about 'adding authentication checks' to the config file, but I have no idea how to do this is sessions are unavailable there. I also tried .htaccess, but using .htaccess I either have to enter new credentials when accessing connector.php folder, with no way to bypass it. I've been banging my head against the table for hours now about this, does anyone know how to build up a session authentication layer that sets or unsets the connection?
And why aren't the session variables read by FCKEditor? Because it's HTML? It doesn't work in any of the browsers I've checked (IE, Firefox, Chrome, Safari)
If I can't use session variables, are there any other ways I can determine if user has logged in CMS or not?
Does anyone know why this does not work?
CMS uses sessions a bit more complicated than that, but I can't seem to get to even the simple sessions working when FCKEditor is called for. Am I missing something? I've gone through-and-through the forums with no luck.
One of my client websites uses a CMS that implements FCKEditor for content images upload. Problem is that you can access the fileuploader with relative ease even without logging in, thus uploading the files and whatnot. The website was hacked in this manner, uploading harmful files and thus gaining access to the virtual host.
Now, I know what the problem is. Configuration file of php connector has:
$Config['Enabled'] = true ;
Which makes it available for all. I have searched through the forums and Google, and already know that making authentication check there can make it secure. My problem is that I have no idea how. The CMS uses sessions to authenticate users, but these sessions aren't carried on to FCKEditor, and thus I have no idea how to actually authenticate the user when using FCKEditor. I tried a few random things that I could think of, but with no success. No SESSION data is carried on.
Forums keep talking about 'adding authentication checks' to the config file, but I have no idea how to do this is sessions are unavailable there. I also tried .htaccess, but using .htaccess I either have to enter new credentials when accessing connector.php folder, with no way to bypass it. I've been banging my head against the table for hours now about this, does anyone know how to build up a session authentication layer that sets or unsets the connection?
And why aren't the session variables read by FCKEditor? Because it's HTML? It doesn't work in any of the browsers I've checked (IE, Firefox, Chrome, Safari)
If I can't use session variables, are there any other ways I can determine if user has logged in CMS or not?
Does anyone know why this does not work?
session_start(); $Config['Enabled'] = false; if ($_SESSION['authorized']) { $Config['Enabled'] = true; }
CMS uses sessions a bit more complicated than that, but I can't seem to get to even the simple sessions working when FCKEditor is called for. Am I missing something? I've gone through-and-through the forums with no luck.
Re: Session authentication problem! - Hacked
Re: Session authentication problem! - Hacked
Re: Session authentication problem! - Hacked
We use sessions for storing information about users login status (are they logged in, and userID for page based permission checks), so all we did was write a small function that returns a boolean value based on whether or not the session exists and the userid is valid. True = logged in, False = not.
Re: Session authentication problem! - Hacked
Re: Session authentication problem! - Hacked
Re: Session authentication problem! - Hacked
What do you mean by that?
My config.php is modified to have
Instead of $Config['Enabled'] being alone. It does not get Session variables, period, no matter what I do, the rest of the system still has though.
Re: Session authentication problem! - Hacked
If this is the case, you can copy the name, start your session, and inherit the session variables.
Re: Session authentication problem! - Hacked
Thanks for all the suggestions.
Re: Session authentication problem! - Hacked
2 things
It might be useful if the comment that instructs you to enable the connector in the config files mentioned the need to use session checking or some other access control.
It will also help prevent this type of attack if you don't use the default FCKEditor directory as the root of the FCK install. I am pretty sure the hackers only find it because it uses a standard directory name. If you change the directory you need to change it in FCKConfig as well.
Cheers
jc