Security Risk - HTMLArea Image Manager

[beasleybub]

I wanted to point out that HTMLArea Image Manager has a security risk to your store. The image manager can be accessed directly from any browser by anyone.

http://yourstore.com/store/editors/h...er/manager.php

We need one of you php wizards to implement ZC login / security to it. I'm sure it can be done :)

Take care

[kobra]

I wanted to point out that HTMLArea Image Manager has a security risk

Not if you have a sound 1.3.9h version

I get

Code:

You don't have permission to access /demo/editors/htmlarea/plugins/ImageManager/manager.php on this server.

[beasleybub]

Cobra, I'm using 1._9h and I have it as a fresh install. I've not removed any of the core files and I can get to it. Is there something I need to check? All of the chmod are correct and all of the .htaccss files are intact.

[kobra]

Don't know

All I can offer is that you try it on a base demo of 1.3.9h HERE

[beasleybub]

Thanks, I'll try it out when I get home. Wish I knew why mine is allowing it access.

[beasleybub]

Found the problem...

The supplied .htaccess file that comes with the plug-in is allowing it. I just reverted to the original .htaccess and fixed it right up.

[beasleybub]

If I use the stock ZC .htaccess I can't use the plug-in.

This is what was supplied with the HTMLarea image Manager.

Code:

# deny *everything*
<FilesMatch ".*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch ".*\.(js|css|jpg|gif|png|xml|html)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

<FilesMatch "\.(php)$">
Order allow,deny
allow from all
</FilesMatch>

IndexIgnore */*

OPTIONS -Indexes -ExecCGI

This allows anyone to access the file. I'm not sure how to fix it can you please help.

[beasleybub]

For some reason the provided .htaccess files that come with the htmlarea image manager module don't keep people from directly accessing my image manager.

I've reinstalled my cart, double checked the chmod settings and for whatever reason I can always access it directly.

Here is my little hack that will at least help prevent outside users from getting to it and doing some nasty stuff to your images.

1. First Open
   
   YOUR_STORE_ROOT_DIRECTORY/editors/htmlarea/plugins/ImageManager/image-manager.js
   
   Around line 59 you will see...
   
   
   Code:

   var manager = _editor_url + 'plugins/ImageManager/manager.php';

   Change this to...
   
   
   Code:

   var manager = _editor_url + 'plugins/ImageManager/manager.php?authorize=1';

   You are simply adding ?authorize=1' to the end of the URL.
   
   
2. Second Open
   
   YOUR_STORE_ROOT_DIRECTORY/editors/htmlarea/plugins/ImageManager/manager.php
   
   And at the top of the page add...
   
   
   Code:

   <?php $authorize = $_GET['authorize']; if ( $authorize != "1" ) { die('Direct access not permitted'); }	?>

Your image manager should not allow access to your files unless someone knows your exact URL including the ?authorize=1 part of your URL.

Note: You can change the "authorize" variable name to whatever you want and also the variable value to whatever you want.


Hope this helps.