Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
9 - 7 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: ck editor + file browser is disabled
by ghia on 2010/9/22 8:22:56

In principle no, but it is possible to 'execute' files of another type as PHP files (image contains code), when the .htaccess is manipulated and some jpg files can make use of security flaws in Windows, when your users' computer is not running the latest security updates.
Because 'An image is 1000 words', it is easier to have offending content.
Re: ck editor + file browser is disabled
by hrac on 2010/9/22 1:27:53

If we allow only jpeg or gif image file, and than publish them on website. Does this cause any security risk?
Re: ck editor + file browser is disabled
by ghia on 2010/9/21 23:47:07

Allowing people to upload files is a serious security risk.
Only limited file types should be possible and only for trustworthy people, that have also the knowledge of what files can breach security and which don't.
Re: ck editor + file browser is disabled
by hrac on 2010/9/21 20:40:08

I guess it is a good idea that every xoops user have a unique folder for uploads and every user can see (list), upload and delete own files in his/her unique folder. Is it possible to implement this kind of mechanism?
Re: ck editor + file browser is disabled
by kaotik on 2009/10/28 12:08:59

I've solved it. Now the editor will first check if you are a XOOPS admin, if yes it will let you manage images and upload.

Here's the solution:
Open class/xoopseditor/ckeditor/ckfinder/config.php

around line line 32 find:
le="color: #000000"><?php return false;


replace with:
le="color: #000000"><?php include_once "../../../../../../../mainfile.php"; $isadmin = ($xoopsUser && $xoopsUser->isAdmin()) ? 1 : 0; if ($isadmin===1) { return true; } else { return false; }


So the entire function should look like this:
le="color: #000000"><?php function CheckAuthentication() { //WARNING : DO NOT simply return "true". By doing so, you are allowing //"anyone" to upload and list the files in your server. You must implement //some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; //... where $_SESSION['IsAuthorized'] is set to "true" as soon as the //user logs in your system. include_once "../../../../../../../mainfile.php"; $isadmin = ($xoopsUser && $xoopsUser->isAdmin()) ? 1 : 0; if ($isadmin===1) { return true; } else { return false; } }

Who's Online

521 user(s) are online (412 user(s) are browsing Support Forums)


Members: 0


Guests: 521


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits