Jump to content
galaxian

Security issue with KCFinder

Recommended Posts

Hello

 

We have recently come across a security issue with using KCFinder image uploader which was integrated to CkEditor. The KCFinder was used to upload images into product descriptions when being edited in CKeditor. Essentially the KCFinder file "browser.php" could be accessed by anyone online and allowed the uploading of files to a website. The addon has now been disabled.

 

After investigating further I found this notation online re KCFinder.

 

Mandatory security measure: Open "kcfinder/config.php" and make sure "disabled" is true. If it's false, ANYONE will be able to access KCFinder and upload files.

 

We learned the hard way on that one. So in posting this info we hope no one else will have the same issue.

 

Question:

What can we use which is secure with CKEditor to allow us to upload images into our product descriptions? We are using OSCOM 2.3.

 

Any feedback is much appreciated.

Share this post


Link to post
Share on other sites

I personally just upload my images by ftp Filezilla to the images directory and click the small image button in ckeditor and give the image address in

 

yoursite.com/images/any_image.jpg

 

Regards

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Thank you for the feed back. Yes that is a solution but just adds a bit more time to the process. I was hoping there may be an secure solution out there.

Share this post


Link to post
Share on other sites

Well was at the plug in section yesterday from ckeditor and do seem to remember reading something about image uploaders but can not remember.

 

Have another look there I was also there just to see about allowing image upload to the front of the site with security in mind.

Haven't had time to study


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Well to be honest I stumbled upon this problem this week and made a solution...

 

At the bottom of '/admin/includes/application_top.php' you add the session variables to make KCFinder enable the upload functionality.

So only logged in admin users can use the upload functionalit:

 

/* Enable KCFinder, the filemanager in TinyMCE */
$_SESSION['KCFINDER'] = array();
$_SESSION['KCFINDER']['disabled'] = false;

 

In the /kcfinder/core/autoload.php I added to the top of the file:

 

// BOF: Added to work with session handling of osCommerce:
set_include_path('../');
include('../includes/application_top.php');
set_include_path(dirname(__FILE__));
// EOF: Added to work with session handling of osCommerce:

 

Just change the include path to the path where your admin/includes/application_top.php file is.

The path I used works when KCfinder is an direct subfolder of the admin.

 

Now it is secure ! (I hope at least :) )

Edited by Piemol

Share this post


Link to post
Share on other sites

Hi Leo,

 

security issue confirmed with KCfinder now going to try your fix

 

Thanks for the info :thumbsup:

 

Regards

 

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Hi Leo,

 

Works good seems secure now good catch .

 

Regards

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

I installed this contribution and I seem to be getting the following error:

 

Warning: include(../includes/application_top.php): failed to open stream: No such file or directory in c:\htdocs\website\catalog\admin\ext\kcfinder\core\autoload.php on line 25

 

Warning: include(): Failed opening '../includes/application_top.php' for inclusion (include_path='../') in c:\htdocs\website\catalog\admin\ext\kcfinder\core\autoload.php on line 25

 

I have changed all the configuration files to direct to admin/ext/kcfinder.

 

Any help is much appreciated.

Share this post


Link to post
Share on other sites

Hi Ghost

 

Kcfinder should be installed in admin/kcfinder/ and ckeditor in admin/ext/ckeditor

 

try moving the kcfinder up a level just beside the includes directory

 

Regards

Joli

Edited by joli1811

To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

is there a way of installing it in admin/ext please?

 

If not then ok but i would like it in admin/ext if possible please.

Share this post


Link to post
Share on other sites

HI Ghost,

 

Quite sure it is possible you would need to go to the website there is documentation included with the package with a link if you follow you can read the different config settings and see the path changes you would need to make you would also need to change the security fix paths as these are for a standard install.with kcfinder at top level.

 

about 4 - 6 paths would need to be changed and tested.

 

Regards

Joli

 

Regards

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Hello :) I've installed ckeditor in my admin/ext folder and kcfinder in admin folder, but when working within my admin file, and I try to add an image, I click on the Browse Server button and a new Administrator Login page pops up. I log in, try to add a pic through ckeditor and when I click on the Browse Server button the same thing happens again. It appears that I am experiencing some sort of 'groundhog day' loop :P .Does anyone have any idea what could be causing this, and what I can do to correct it?In the meantime, I AM able to add pictures by typing in my http://mywebsite.com/images/picname.jpg ... but I'm wondering what could be causing this issue.Thank you,Jewell

Edited by jeu4328

Share this post


Link to post
Share on other sites

Thank you very much for supporting this contribution! I use the CKEditor all the time and just installed the updated version with the KCFinder.

 

I have a question about the security update. Specifically, what is the purpose of set_include_path('../'); and set_include_path(dirname(__FILE__));? I looked them up and understand what they do but I don't quite understand why they are used in /kcfinder/core/autoload.php (below). Are the relevant to the security update or just used depending on your file structure?

 

// BOF: Added to work with session handling of osCommerce:

set_include_path('../');

include('../includes/application_top.php');

set_include_path(dirname(__FILE__));

// EOF: Added to work with session handling of osCommerce:

 

Both are causing errors lower in the file for me (i.e. line 64 require "core/uploader.php";). The location of autoload.php on my site is catalog/admin/kcfinder/core/autoload.php. If I comment them out then everything seems to work fine. If either are active then the KCFinder doesn't work.

 

I'm a bit of a novice when it comes to PHP... Are these lines required for the security update at all or are they just useful depending on your file structure? Thank you in advance!

Share this post


Link to post
Share on other sites

Hi Nate,

 

These lines are added to prevent access to the http://www.xxxxxxxx.com/admin/kcfinder/core/browser.php from anyone online just means that you have to be logged in to admin to access the files .

 

What errors are you getting test if you can access the above file from your browser that is the security hole if you can access.

Should be added after the first <?php

 

 

<?php

// BOF: Added to work with session handling of osCommerce:

set_include_path('../');

include('../includes/application_top.php');

set_include_path(dirname(__FILE__));

// EOF: Added to work with session handling of osCommerce:

 

Regards

Joli

Edited by joli1811

To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Hello Joli,

 

Thank you for following up. I truly appreciate it! I've been tweaking autoload.php a bit and using the various error logs to understand where things are failing. It's been a bit of a learning experience! I'd like to run something past you...

 

1. As far as I can tell the

set_include_path('../');

is useful for when autoload.php includes application_top.php in the next line of code

include('../includes/application_top.php');

. I'm guessing this because If I comment out

set_include_path('../');

then I get errors having to do with application_top.php and various files application_top.php calls.

 

2. After application_top.php has done it's thing with regard to sessions and such we need to set the include path back so that we don't have to change a bunch of other paths in autoload.php. I'm guessing that is the purpose of

set_include_path(dirname(__FILE__));

 

For some reason I couldn't get KCFinder to work without commenting out these two lines (which screwed up the admin session stuff) or without modifying the paths of the other includes in autoload.php. Assuming 1 & 2 above is correct, I replaced

set_include_path(dirname(__FILE__));

with

restore_include_path();

such that this code block now looks like...

 

// BOF: Added to work with session handling of osCommerce:
set_include_path('../');
include('../includes/application_top.php');
restore_include_path();
// EOF: Added to work with session handling of osCommerce:

 

KCFinder seems to be working fine now and I don't see any errors in the error logs. Also, I checked http://www.MYSITE.com/catalog/admin/kcfinder/core/browser.php as you mentioned above and it returns Forbidden (presumably because of the .htaccess file). I also checked http://www.MYSITE.com/catalog/admin/kcfinder (there is no .htaccess file here) and it required a login. Does all that sound correct as in that's the way its supposed to work?

 

Thank you very much for the help! I really appreciate it!

Share this post


Link to post
Share on other sites

Well is strange the security fix worked for me I have it running as it is on a few sites with no problems so maybe something to do with your setup/server/php version

 

but the results you are getting are correct not much of a php expert myself if that works for you good the main thing is the access to the browser.php is blocked until you log in and no errors in your error log maybe someone else with a bit more knowledge would care to comment !!!

 

When I first installed I seen that anyone online could actually access that file so including the admin/include/application_top.php seems to be the logical solution.

 

Thanks for the update will be useful for anyone else experiencing similar problems.

 

Regards

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×