Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> FCKeditor/WYSIWYG Issues
Author Message
bugsy
Worker
Worker


Joined: May 08, 2007
Posts: 130

PostPosted: Sun Jun 01, 2008 11:56 am Reply with quote

Hi,

I have recently installed RN2.2 in one site and have enabled the FCK Editor. What I found our that though as an Admin I can post images or link to images as a normal user the image function is not visible or not available.

My question is - is it possible to let users post images too? (At least hotlink to it if not upload) ?

And if so ... does it affect the security of the site?
 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Jun 01, 2008 4:23 pm Reply with quote

From the nukeWYSIWYG readme.txt:
Code:
   The 3rd argument defines the toolbar set, which controls which functions are 

   available to the user.  Since these functions can present security risks,
   this should be chosen carefully.  By default, the most limited toolset bar
   will be chosen.  In admin functions, you may choose to use PHPNukeAdmin which
   loads all FCKeditor functions.  The NukeUser toolbar set is more limited,
   more secure and loads faster.

And:
Code:
CUSTOM SECURITY SETTINGS


Security settings, in the form of custom toolbar settings ("toolbar sets"), are
defined in includes/fckeditor/fckconfig.js.  Several are used with nukeWYSIWYG,
including PHPNukeAdmin, NukeUser, and PHPNuke.  By modifying or creating
additional toolsets, you can flexibly define access to different functions in
FCKeditor.


To answer your questions: yes, it's possible to let users post images, and yes, it can affect the security of the site.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
bugsy
PostPosted: Sun Jun 01, 2008 11:23 pm Reply with quote

Hi kguske,

After reading your note I did try to incorporate the 'Image' in user toolbar. As you said its loading now from the user account.

But as you said security is a concern what I am thinking is that somehow if I manage to prevent access to image server from the user account that is if i manage to deactivate the image upload function for users can the security risk be less?

Basically if i can allow hot-linking to images from their server and not mine (by deactivating image upload keeping the image url option) can the security risk be minimized?

If security risk is minimized I can think of two ways to do it...

a) Do away with the "Browse Server" option and keep the image url linking feature.
b) Keep the "Browse Server" option" and do away with the "Image Upload" option in the interface.

Any idea how to implement that? My hunch is i have to hunt for some uploading specific codes and do away with them.

Another option that is coming to mind is change the permission of the image uploading directory in FCK to 644 or 755 and deny writing access - I do understand Admins too will loose access then - but that is ok with me (Have to put a notice regarding that somewhere though that you cant upload images but may hotlink from other servers).

Its kinda important that my users post supporting images with their post so wondering how do i go about it but without compromising security.

Do let me know on your thoughts on this....
 
bugsy
PostPosted: Mon Jun 02, 2008 12:14 am Reply with quote

...I have chmod 644 the images folder...now even admins can not load files in it. So does it take care of the security?

Is there any way I can take out the Browse Server Button in the insert image interface?

I have seen hotlinked image urls are functioning in the interface..
 
kb9nha
Regular
Regular


Joined: Apr 26, 2008
Posts: 60
Location: Windy City

PostPosted: Mon Jun 02, 2008 9:51 am Reply with quote

Quote:
Its kinda important that my users post supporting images with their post so wondering how do i go about it but without compromising security.


There's an easy way for image uploading in your forum section. You can add an (ImageShack) add-on to it.

Open your posting_body.tpl & look for this script below:

Quote:
<td class="row1" valign="top"><span class="gen"><b>{L_OPTIONS}</b></span><br /><span class="gensmall">{HTML_STATUS}<br />{BBCODE_STATUS}<br />{SMILIES_STATUS}</span></td>
<td class="row2"><span class="gen"> </span>
<table cellspacing="0" cellpadding="1" border="0">
<!-- BEGIN switch_html_checkbox -->


Replace the script with the one below:

Quote:
<td class="row1" valign="top"><span class="gen"><b>{L_OPTIONS}</b></span><br /><span class="gensmall">{HTML_STATUS}<br />{BBCODE_STATUS}<br />{SMILIES_STATUS}</span></td>
<td class="row2"><b>&nbsp;&nbsp;Upload Image with ImageShack!</b><br><iframe src="http://imageshack.us/iframe.php?txtcolor=111111&type=blank&size=30" scrolling="no" allowtransparency="true" frameborder="0" width="280" height="90">Update your browser for ImageShack.us!</iframe>
<table cellspacing="0" cellpadding="1" border="0">
<!-- BEGIN switch_html_checkbox -->


The (posting_body.tpl) is located in the following directory:
/modules/Forums/templates/SubSilver/posting_body.tpl

If you are using different template (not subSilver), please go to the directory associated with THAT different template.

The images uploaded will be not be stored into your site but to ImageShack. There's no need to sign up for an ImageShack account either. It's completely anonymous.


Last edited by kb9nha on Mon Jun 02, 2008 10:27 am; edited 3 times in total 
View user's profile Send private message
kb9nha
PostPosted: Mon Jun 02, 2008 10:03 am Reply with quote

After installing this add-on, you can test it by posting something in your forum. Down below where you type your posts, you'll see an ImageShack link with space bar & (Browse) button for you to easily upload your images. After you press the (Host it) button, you'll be directed to different thumbnail codes choices for the image you've uploaded. Use the second thumbnail code (Thumbnail for forums (1)). It's written in phpBB.
 
bugsy
PostPosted: Mon Jun 02, 2008 11:28 am Reply with quote

k...thanks...will try it in my forum but I am actually trying to find out about using FCK in the news module of ravennuke..sorry i forgot to mention that.

Presently I have activated Insert Image function for users and chmod the image directory to 644 that prevents it from being accessed by anybody..in other words its as good as almost deleting it!

So I guess it does take care of the security concern to give users the access to incorporating images into their news post.

I am not sure though about the security aspect...can anyone second that?
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Mon Jun 02, 2008 1:02 pm Reply with quote

I didn't do anything special and on my RavenNuke users can link to images hosted elsewhere in submitted news stories. You just click the image button and enter the URL to the image.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
bugsy
PostPosted: Tue Jun 03, 2008 1:18 am Reply with quote

Ya I have also done the same but have just chmod the fck/images directory to 644 so that images can't be uploaded there. Just wondering...have you managed to do away with the "Browse Server" button that comes beside the image url when you click the insert image button...if so any idea what i need to change?
 
kguske
PostPosted: Tue Jun 03, 2008 4:33 am Reply with quote

Check the settings in includes/FCKeditor/fckconfig.js
 
bugsy
PostPosted: Tue Jun 03, 2008 7:16 am Reply with quote

Thats cool Smile I flipped the switch FCKConfig.ImageUpload = false ; and the buttons gone so I guess that takes care of the security....thanks
 
kguske
PostPosted: Tue Jun 03, 2008 8:01 pm Reply with quote

Sounds good.
 
bugsy
PostPosted: Fri Jun 20, 2008 6:00 am Reply with quote

Hi kgusk...I just wanted a lil confirmation on another aspect ... If I apply the same process for the Flash Files also - that is normal users can embed flash videos/clips by hot-linking and not by uploading then the security issue does get taken care of I guess?

And giving the template feature to normal users is also not a security issue right?

It will be nice if you can support other types of rich media in future versions of FCKeditor...best part I guess you giving options to control what we want and what we do not want in the edit interface.

Just a suggestion ... if you can have various kinda tool bars supporting various nsn groups - which the admins can customize and control as per group level in some kinda front end panel - will really boost its features I guess - but considering this is an opensource project - this script is an extremely powerful enhancement to phpnuke and its derivatives.
 
kguske
PostPosted: Fri Jun 20, 2008 8:51 am Reply with quote

Re: flash, yes, but you'll need to update the $allowable_html array in config.php.

No issues giving template feature - it should be included in future releases of nukeWYSIWYG.

Changes to support toolbars for groups would require changes to the applications where these would be used, as well as definition of the toolbar functions in includes/fckeditor/fckconfig.js.
 
bugsy
PostPosted: Fri Jun 20, 2008 10:48 am Reply with quote

I guess you mean to say i have to add
Code:
'embed'=>2 
in that
Code:
$AllowableHTML = array('b'=>1,'i'=>1,'u'=>1,'div'=>2,'a'=>2,'em'=>1,'br'=>1,'strong'=>1,'blockquote'=>1,'tt'=>1,'li'=>1,'ol'=>1,'ul'=>1);


I am not very good in embedding videos...just wondering using the same function can other medias (say .wmv) be embedded or it is just meant for flash videos?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Fri Jun 20, 2008 11:52 am Reply with quote

Think very, very carefully before allowing external linking to flash as it supports embedded scripting.
 
View user's profile Send private message Send e-mail
bugsy
PostPosted: Fri Jun 20, 2008 12:15 pm Reply with quote

You mean to say scripts inside .swf file?! that is a security issue i guess provided I cannot detect it once its posted for review before publishing it - or can scripts do the job even when posted for reviews? Or you mean to say hackers can use embed scripts inside embed tags?

Basically I intend publish videos from a selective group (who are not admins but special users - one nsn group) and not from all users - but that is when we are talking about publishing the stories after approval not when they submit it (every user can see embed flash button in submit news page by default).

From the security point of view - any user can embed .swf files and submit for review purposes...and I can reject only after it has been posted and damage has been done?

What I am trying to say is scripts can take effect after i publish the stories or even when any user posts a flash in an article meant for review?
 
Guardian2003
PostPosted: Fri Jun 20, 2008 12:33 pm Reply with quote

It's more than possible as you can build in a delay before the script executes or it could do something you cannot see visually. If you frequent some of the security sites there have been a number of cases of exploits through malicious code embedded in flash files from simple keylogging trojans to much worse things.
If the flash comes from a trusted source and can only be accessed by the trusted source then that is at least slightly more comforting but to answer your question, yes you can hide malicious code inside the flash file itself so whenever it is accessed, even by 'pre-viewing' it, it has the potential to do damage.
If you can guarantee your users/site visitors have the latest version of flash player then that would certainly help.
 
kguske
PostPosted: Fri Jun 20, 2008 3:23 pm Reply with quote

bugsy, I don't do much with videos, but if it can be displayed / embedded in HTML, you should be able to use it with nukeWYSIWYG. Definitely heed the warnings of Guardian, though.
 
bugsy
PostPosted: Sat Jun 21, 2008 3:26 am Reply with quote

Thanks for the input because the ones that I want to publish will be from trusted source but ones that will be sent to me will be from a mixed source and its highly risky if i cannot see inside and discover the code..or as you say can't even preview also.

It actually makes me quite weary of video sites using user generated flash content like youtube and all!

I guess same problem can be avoided if i can somehow incorporate .wmv or quicktime videos in the page. I can ask my users to send me wmv or quicktime file links and incorporate it in text this side either in those safe formats or after making it a flash.

kguske I just have a small thought for you as Guardian2003 pointed out that flash does have security flaws if coming from mixed sources why not you give the options of loading .wmv or quicktime instead/along with flash in FCK editor. In fact I guess I did hear some where about a rich media nuke plugin.

Now I will think twice before going to a fash website even haha Smile...some people are bent on making lives harder for the more decent kinds I guess Smile
 
kguske
PostPosted: Sat Jun 21, 2008 7:07 am Reply with quote

We generally support the functions developed for FCKeditor. If it's been done for FCKeditor, we can consider adding it. But we're busy working on the next RN release right now, so I'll leave it to you to find this FCKeditor tweak / addon / extension / configuration.
 
bugsy
PostPosted: Sat Jun 21, 2008 9:33 am Reply with quote

Ya will search for it and post here if i come across it (cant even remember how and where I came across it...but i did read somewhere!). Best..for the new release and thanks for the words of caution...
 
bugsy
PostPosted: Mon Jul 21, 2008 9:50 am Reply with quote

Well...I finally did come across few ways to manage videos in sites and i guess can be used in FCK Editor interface to include all kinda videos...

a) This one's a hosted solution...which i liked best but only 1GB of bandwidth is free and rest are paid for and a small 30 sec video can eat up 2mb in a single view! Very similar like you tube interface. (Best is most kinda video formats are supported as input - output is flash embed script)
Only registered users can see links on this board! Get registered or login!

b) This is a server side player (free for non commercial) its coming from the developer of bitsontherun only.. Only registered users can see links on this board! Get registered or login!

c) This one has a php nuke module i think Only registered users can see links on this board! Get registered or login!

But I might also use the flash encoders from Only registered users can see links on this board! Get registered or login! or Only registered users can see links on this board! Get registered or login! to convert videos into flash from other formats (both are free)....and then use the embed flash option in FCK Editor.

I am planning to avoid the security issue by asking my members to supply me non flash format videos like wmv and then convert it into flash and incorporate in RN2.2 at the admin end.

Well i do understand this is not a complete push button thing but i guess the links will help people interested in including various video formats using FCK.

I came across a nice video guide also Only registered users can see links on this board! Get registered or login!

cheers.. Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> FCKeditor/WYSIWYG Issues

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©