ckeditor - does it upload images

[kachana]

Does CKEDITOR allow you to upload images to your server?

Thanks

[DrByte]

Not natively, no.

[kachana]

Thank you for that prompt rely:)

[kwright]

There is a CKFinder file manager, but haven't had luck integrating with CKEditor...

[kuroi]

It's not easy to integrate Image Manager extensions to WYSIWYG editors such as CKEditor or TinyMCE.

If you don't integrate them securely, you leave yourself open to the upload of malicious files by hackers.

But integrating them securely is very difficult too as Zen Cart is deliberately locked down to not offer third-party apps a way to penetrate its security, since these would offer a point of attack for hackers.

[kwright]

Hi kuroi,

First, I would like to say thanks for the contrib! As you read in my other post, It installed and works flawlessly, including the upgrade process. CKEditor is a nice addition for Zen users.

I do understand the potential security issues with file managers. However, if one does wish to configure CKFinder, would you happen to have any helpful directions on this?

[kwright]

OK, got ckfinder working on localhost!

Now I am trying to secure it. In the ckfinder config.php file, there is a CheckAuthentication() function that needs to return true. I added the following, but doesn't seem to work.

Code:

 return isset($_SESSION['securityToken']) && $_SESSION['securityToken'];

This should return true if admin is logged in...correct?

Any ideas?

[kuroi]

Alas that won't work as the page has already been completely rendered by the time you initiate the CKFinder call, and the session has been closed down to protect the information that it contains.

Nor can you restart the same session at this point, since the http headers were sent prior to the page rendering.

If you're working from a fixed IP you might be able to check that the browser request came from that IP and exclude any others.

You can also obscure the location of the editors (similarly to changing the name of the admin folder) by renaming the folder and editing the DIR_WS_EDITOR setting in the admin ckeditor.php file, which would make it more difficult for a hacker to find and access the CKFinder upload facility.

[kwright]

Thanks for the info about Zen sessions kuroi.

I had tried several methods, but as you pointed out, Zen sessions by design, are very secure...

I like the idea of obscuring the dir and looking at the IP...

Would there be any other way to validate that one is logged in to the store admin that can be made available to the ckfinder config script?

[kuroi]

Alas, the information used to verify that somebody is logged in is in the session that you can't get at.