ckeditor - does it upload images

[kwright]

Got it!

So, other then the suggested IP restriction and editors dir name change, any other validation suggestion one could do to verify that ckfinder is not being hacked?

Also, my ckeditor.php file doesn't have a DIR_WS_EDITOR setting. I guess I need to code this?

Thanks again!

[terraGirl]

I stumbled across this thread when I had to secure CKFinder in Zen Cart. The IP address restriction didn't work for me, as my client is on a variable IP.

So I slapped a cPanel folder protection on and this should do the trick. It asks for the log in as soon as you access a page in admin which has CKFinder embeded and also if you try to access CKFinder directly.

Maybe this helps others who come across this thread.

All the best, Edith

[kwright]

OK, don't mean to beat a horse as they say...

I have CKEditor and CKFinder installed and working on 1.3.9d. I want to secure (as best as possible) CKFinder.

Here's what I have so far in general:

1. Admin dir renamed
2. htaccess pwd admin dir
3. Using https to login
4. limited file types in finder to gif, jpg and png

I read in another thread to pwd the editor and finder dir as well. Any thought on this redundancy?

Since I don't know the methods a hacker could use to get in and use CKFinder, any other suggestions / recommendation (other then don't use CKFinder) would be helpful to all of us that need / wish to use CKFinder.

Thanks

[vandiermen]

I want to secure (as best as possible) CKFinder.

I had FCKeditor(with image uploader) installed on all my 1.3.8 sites and just changed the admin url, and I was never hacked.

If you change your admin url this should protect your site.

I looked for CKFinder in the free ad-ons... pity no one has added it for zencart.

p.s.
without changing the admin url your site is vulnerable I think.

[kuroi]

I looked for CKFinder in the free ad-ons... pity no one has added it for zencart.

It can't be added for Zen Cart. It's a commercial product requiring a paid-for license.

[vandiermen]

It can't be added for Zen Cart. It's a commercial product requiring a paid-for license.

It seems you can download it for free for your own websites. Perhaps zencart integration patch files could be added I am not sure. Thanks for your answer.

[vandiermen]

p.s.
if you got some reseller licence from CKSource, and sold the module for zencart on your website; I would buy it. :-)

[kwright]

I had FCKeditor(with image uploader) installed on all my 1.3.8 sites and just changed the admin url, and I was never hacked.

If you change your admin url this should protect your site.

I looked for CKFinder in the free ad-ons... pity no one has added it for zencart.

p.s.
without changing the admin url your site is vulnerable I think.

Yup, done that! Even changed the editor & CKFinder dir name...I just feel there is something else I should do that would better authenticate if an admin user is "Logged-in" within the CKFinder config.php CheckAuthentication function

[kuroi]

@vandierman The CKFinder people don't offer a reseller license. They have an OEM license, but it's not compatible with the GPL under which Zen Cart is released.

@kwright I believe that this can be done, but would require relocating the entire editor structure into the Admin to gain access to the admin session.

[tonyniemann]

Don't know if anyone cares anymore but here is the solution I came up with for CKFinder security. Basically it limits access to the IP address of the logged in admin - it's not perfect but it's pretty good.

I establish the access to CKFinder in #admin#/includes/ckeditor.php but I'm sure this idea could be ported.

In ckeditor.php I added the following:

Code:

if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}

/* BEGIN ADD */
$IP = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]; 
$currentcode =  md5('salt_one' . $IP . 'salt_two');
/* END ADD */

$var = zen_get_languages();

The "salt_one" and "salt_two" are hardcoded random strings.

Then I added the access lines to the CKEDITOR.replace call like so

Code:

      CKEDITOR.replace($(this).attr('name'),
        {
          coreStyles_underline : { element : 'u' },
          width : 760,
          language: lang[index],
          filebrowserBrowseUrl: '../<?php echo DIR_WS_EDITORS ?>ckfinder/ckfinder.html?lcsd=<?php echo $currentcode ?>',
          filebrowserImageBrowseUrl: '../<?php echo DIR_WS_EDITORS ?>ckfinder/ckfinder.html?type=Images&lcsd=<?php echo $currentcode ?>',
          filebrowserUploadUrl: 
            '../<?php echo DIR_WS_EDITORS ?>ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files&lcsd=<?php echo $currentcode ?>',
          filebrowserImageUploadUrl: 
            '../<?php echo DIR_WS_EDITORS ?>ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images&lcsd=<?php echo $currentcode ?>'
        });

Now I have a parameter being passed to the CKFinder that is unique to the current users IP address (proxies, etc notwithstanding).

Then, over in the /ckfinder/config.php I test for this new parameter:

Code:

function CheckAuthentication()
{
    $IP = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];     
    $currentcode =  md5('salt_one' . $IP . 'salt_two');
    $testcode = '';
    
    if (isset($_REQUEST['lcsd'])) {
        $testcode = $_REQUEST['lcsd'];
    };

    return ($testcode == $currentcode);    
}

Perhaps I'm missing something obvious, but so far it appears to be working.

Tony