Re: Better Security for FCKeditor's File Upload Feature

From: "John Collins" <john@PROTECTED>

In-Reply-To: Better Security for FCKeditor's File Upload Feature

Date: May 10th 2010

Is it a big deal to change to TinyMCE? It's still free and can easily be set to disallow uploads. I use it in my calendar system input form and really like it.

Justin J wrote:

I've been trying to get FCKeditor to play a little nicer with Dada Mail and get the File Upload stuff a little more secure. The newest version of FCKeditor is actually called CKeditor, but the file upload/browser portion of the script is not free, or free software, so I still sometimes rely on the older FCKeditor. 

The problem is, FCKeditor's file upload feature is a potential security problem, since it allows an anonymous person to upload files to your hosting account. There's checks to what these files can be (which is great), but I think it's simply done by file ending (which is not). 

To give FCKeditor credit it tells you to plug in your own session handling stuff, and do not just flip on/override the security it... um... doesn't have. Ok. 

I first attempted to augment the "Perl" version of the connector and quickly gave up - the Perl code included with FCKeditor is a steaming pile and I wouldn't touch it, or even suggest anyone to use it. The red herring is always when there's code in the script itself to attempt to parse a get/post - it's always going to be fraught with errors and I'm sure security issues. That's why we have modules, people. 

What I did find out is, you can't attempt to use Dada Mail's session handling stuff from inside FCKeditor's included Perl connector - it mucks up the connector itself. A bug in FCKeditor, I'm thinking. Nothing I can do. 

I then tried to augment the included php connector. The code looks better, but it may just look better, since I do not know enough php to know otherwise! 

Anyways, the using two languages seems to actually be a blessing, as each program doesn't seem to step on each other's toes. 

php (like perl) has a system() call, to allow you to call an outside script. That outside script for use will be the session checker of Dada Mail. It'll let the php connector know if we're logged into a Dada Mail list, or not. If we're not, we won't be allowed to use the File Upload stuff. 

Here's what I've done - it's actually not too too scary - 


in FCKeditor's 

	fckeditor/editor/filemanager/connectors/php/config.php 

file, I've changed the lines, 

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//		authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = false 


to, 

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//		authenticated users can access this file or use some kind of session checking.

// http://php.net/manual/en/function.system.php		
// Note: When safe mode is enabled, you can only execute files within the safe_mode_exec_dir. 
// For practical reasons, it is currently not allowed to have .. components in the path to the executable.
		
$Config['Enabled'] = system('./security.pl', $retval);

That was easy - excluding the comments, we've changed: 1 line. 

I then made a small perl script called, "security.pl" with the following content: 




#!/usr/bin/perl 

use lib qw(
	../../../../../cgi-bin/dada
	../../../../../cgi-bin/dada/DADA/perllib	
	); 
use DADA::Config;
use DADA::App::Guts;  

use CGI;
CGI->nph(1) if $DADA::Config::NPH == 1;
my $q = new CGI;
   $q->charset($DADA::Config::HTML_CHARSET);
   $q = decode_cgi_obj($q);

my ($admin_list, $root_login, $checksout) = DADA::App::Guts::check_list_security(
	-cgi_obj         => $q,  
    -Function        => 'send_email', 
    -manual_override => 1
   );

print $checksout; 

#warn '$checksout ' . $checksout;

(I also attached this script).  

I saved it in that same directory (fckeditor/editor/filemanager/connectors/php) and changed its permissions to, "755" 

and, that's it - although you may very well have to change the, "use lib" paths. This assumes a similar situation to the below: 

FCKeditor is installed in: 
	/home/youraccount/public_html/fckeditor

Dada Mail is install in: 
	/home/youracccount/public_html/cgi-bin/dada

I then followed the instructions to get FCKeditor's file upload feature working: 

http://dadamailproject.com/support/documentation-4_0_4/FAQ-general.pod.html#how_do_i_get_the_file_browser_working_in_fckeditor

Skipping over this part: 

quote: 
The first variable:

        $Config['Enabled'] = false ;
Simply has to be set to, true
/quote


That's all there is to it. 

If anyone is interested in this, and would like to try this themselves, that would be... pretty cool. I may polish the above up and add it to the docs for the next release.

-------------------------------------------------
John Collins
Meetings and Mixers
Box 80461
Rancho Santa Margarita, CA 92688
c949 689 7070
john@PROTECTED
http://www.meetingsandmixers.com/

Post:
mailto:[list_settings.discussion_pop_email]

Unsubscribe:
https://dadamailproject.com/cgi-bin/dada/mail.cgi/u/dadadev/

List Information:
[PROGRAM_URL]/list/[list_settings.list]

Archive:
[PROGRAM_URL]/archive/[list_settings.list]

Developer Info:
http://dev.dadamailproject.com

‹ Better Security for FCKeditor's File Upload Feature

Index

Re: Better Security for FCKeditor's File Upload Feature ›

Email Address

You're OK with using your email address as your primary contact for this email discussion list; messages will be sent on your behalf

Unsubscribe at Anytime | Privacy Policy

This mailing list is a public mailing list - anyone may join or leave, at any time.
This mailing list is a group discussion list (unmoderated)
Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
Bug/Error reports
Bug fixes
Request For Comments on any changes to the program
Help customizing Dada Mail for your own needs
Patches
Language Translations
Support Documentation/Doc editing, FAQ's, etc.
Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.