FCK Editor and User Privilages

Worker Joined: May 08, 2007 Posts: 130

Hi,

I have recently installed RN2.2 in one site and have enabled the FCK Editor. What I found our that though as an Admin I can post images or link to images as a normal user the image function is not visible or not available.

My question is - is it possible to let users post images too? (At least hotlink to it if not upload) ?

And if so ... does it affect the security of the site?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

From the nukeWYSIWYG readme.txt:

Code:

   The 3rd argument defines the toolbar set, which controls which functions are 


   available to the user.  Since these functions can present security risks, 


   this should be chosen carefully.  By default, the most limited toolset bar


   will be chosen.  In admin functions, you may choose to use PHPNukeAdmin which


   loads all FCKeditor functions.  The NukeUser toolbar set is more limited, 


   more secure and loads faster.

And:

Code:

CUSTOM SECURITY SETTINGS





Security settings, in the form of custom toolbar settings ("toolbar sets"), are


defined in includes/fckeditor/fckconfig.js.  Several are used with nukeWYSIWYG,


including PHPNukeAdmin, NukeUser, and PHPNuke.  By modifying or creating 


additional toolsets, you can flexibly define access to different functions in 


FCKeditor.

To answer your questions: yes, it's possible to let users post images, and yes, it can affect the security of the site.

Posted: Sun Jun 01, 2008 11:23 pm

Hi kguske,

After reading your note I did try to incorporate the 'Image' in user toolbar. As you said its loading now from the user account.

But as you said security is a concern what I am thinking is that somehow if I manage to prevent access to image server from the user account that is if i manage to deactivate the image upload function for users can the security risk be less?

Basically if i can allow hot-linking to images from their server and not mine (by deactivating image upload keeping the image url option) can the security risk be minimized?

If security risk is minimized I can think of two ways to do it...

a) Do away with the "Browse Server" option and keep the image url linking feature.
b) Keep the "Browse Server" option" and do away with the "Image Upload" option in the interface.

Any idea how to implement that? My hunch is i have to hunt for some uploading specific codes and do away with them.

Another option that is coming to mind is change the permission of the image uploading directory in FCK to 644 or 755 and deny writing access - I do understand Admins too will loose access then - but that is ok with me (Have to put a notice regarding that somewhere though that you cant upload images but may hotlink from other servers).

Its kinda important that my users post supporting images with their post so wondering how do i go about it but without compromising security.

Do let me know on your thoughts on this....

Posted: Mon Jun 02, 2008 12:14 am

...I have chmod 644 the images folder...now even admins can not load files in it. So does it take care of the security?

Is there any way I can take out the Browse Server Button in the insert image interface?

I have seen hotlinked image urls are functioning in the interface..

Posted: Mon Jun 02, 2008 9:51 am

Edited...

Posted: Mon Jun 02, 2008 10:03 am

Edited...

Posted: Mon Jun 02, 2008 11:28 am

k...thanks...will try it in my forum but I am actually trying to find out about using FCK in the news module of ravennuke..sorry i forgot to mention that.

Presently I have activated Insert Image function for users and chmod the image directory to 644 that prevents it from being accessed by anybody..in other words its as good as almost deleting it!

So I guess it does take care of the security concern to give users the access to incorporating images into their news post.

I am not sure though about the security aspect...can anyone second that?

registered · Posted: Mon Jun 02, 2008 1:02 pm

I didn't do anything special and on my RavenNuke users can link to images hosted elsewhere in submitted news stories. You just click the image button and enter the URL to the image.

Posted: Tue Jun 03, 2008 1:18 am

Ya I have also done the same but have just chmod the fck/images directory to 644 so that images can't be uploaded there. Just wondering...have you managed to do away with the "Browse Server" button that comes beside the image url when you click the insert image button...if so any idea what i need to change?

Posted: Tue Jun 03, 2008 4:33 am

Check the settings in includes/FCKeditor/fckconfig.js

Posted: Tue Jun 03, 2008 7:16 am

Thats cool Smile

I flipped the switch FCKConfig.ImageUpload = false ; and the buttons gone so I guess that takes care of the security....thanks

Posted: Tue Jun 03, 2008 8:01 pm

Sounds good.

Posted: Fri Jun 20, 2008 6:00 am

Hi kgusk...I just wanted a lil confirmation on another aspect ... If I apply the same process for the Flash Files also - that is normal users can embed flash videos/clips by hot-linking and not by uploading then the security issue does get taken care of I guess?

And giving the template feature to normal users is also not a security issue right?

It will be nice if you can support other types of rich media in future versions of FCKeditor...best part I guess you giving options to control what we want and what we do not want in the edit interface.

Just a suggestion ... if you can have various kinda tool bars supporting various nsn groups - which the admins can customize and control as per group level in some kinda front end panel - will really boost its features I guess - but considering this is an opensource project - this script is an extremely powerful enhancement to phpnuke and its derivatives.

Posted: Fri Jun 20, 2008 8:51 am

Re: flash, yes, but you'll need to update the $allowable_html array in config.php.

No issues giving template feature - it should be included in future releases of nukeWYSIWYG.

Changes to support toolbars for groups would require changes to the applications where these would be used, as well as definition of the toolbar functions in includes/fckeditor/fckconfig.js.

Posted: Fri Jun 20, 2008 10:48 am

I guess you mean to say i have to add

Code:

'embed'=>2

in that

Code:

$AllowableHTML = array('b'=>1,'i'=>1,'u'=>1,'div'=>2,'a'=>2,'em'=>1,'br'=>1,'strong'=>1,'blockquote'=>1,'tt'=>1,'li'=>1,'ol'=>1,'ul'=>1);

I am not very good in embedding videos...just wondering using the same function can other medias (say .wmv) be embedded or it is just meant for flash videos?

Posted: Fri Jun 20, 2008 11:52 am

Think very, very carefully before allowing external linking to flash as it supports embedded scripting.

Posted: Fri Jun 20, 2008 12:15 pm

You mean to say scripts inside .swf file?! that is a security issue i guess provided I cannot detect it once its posted for review before publishing it - or can scripts do the job even when posted for reviews? Or you mean to say hackers can use embed scripts inside embed tags?

Basically I intend publish videos from a selective group (who are not admins but special users - one nsn group) and not from all users - but that is when we are talking about publishing the stories after approval not when they submit it (every user can see embed flash button in submit news page by default).

From the security point of view - any user can embed .swf files and submit for review purposes...and I can reject only after it has been posted and damage has been done?

What I am trying to say is scripts can take effect after i publish the stories or even when any user posts a flash in an article meant for review?

Posted: Fri Jun 20, 2008 12:33 pm

It's more than possible as you can build in a delay before the script executes or it could do something you cannot see visually. If you frequent some of the security sites there have been a number of cases of exploits through malicious code embedded in flash files from simple keylogging trojans to much worse things.
If the flash comes from a trusted source and can only be accessed by the trusted source then that is at least slightly more comforting but to answer your question, yes you can hide malicious code inside the flash file itself so whenever it is accessed, even by 'pre-viewing' it, it has the potential to do damage.
If you can guarantee your users/site visitors have the latest version of flash player then that would certainly help.

Posted: Fri Jun 20, 2008 3:23 pm

bugsy, I don't do much with videos, but if it can be displayed / embedded in HTML, you should be able to use it with nukeWYSIWYG. Definitely heed the warnings of Guardian, though.

Posted: Sat Jun 21, 2008 3:26 am

Thanks for the input because the ones that I want to publish will be from trusted source but ones that will be sent to me will be from a mixed source and its highly risky if i cannot see inside and discover the code..or as you say can't even preview also.

It actually makes me quite weary of video sites using user generated flash content like youtube and all!

I guess same problem can be avoided if i can somehow incorporate .wmv or quicktime videos in the page. I can ask my users to send me wmv or quicktime file links and incorporate it in text this side either in those safe formats or after making it a flash.

kguske I just have a small thought for you as Guardian2003 pointed out that flash does have security flaws if coming from mixed sources why not you give the options of loading .wmv or quicktime instead/along with flash in FCK editor. In fact I guess I did hear some where about a rich media nuke plugin.

Now I will think twice before going to a fash website even haha Smile

...some people are bent on making lives harder for the more decent kinds I guess Smile

Posted: Sat Jun 21, 2008 7:07 am

We generally support the functions developed for FCKeditor. If it's been done for FCKeditor, we can consider adding it. But we're busy working on the next RN release right now, so I'll leave it to you to find this FCKeditor tweak / addon / extension / configuration.

Posted: Sat Jun 21, 2008 9:33 am

Ya will search for it and post here if i come across it (cant even remember how and where I came across it...but i did read somewhere!). Best..for the new release and thanks for the words of caution...

Posted: Mon Jul 21, 2008 9:50 am

Well...I finally did come across few ways to manage videos in sites and i guess can be used in FCK Editor interface to include all kinda videos...

a) This one's a hosted solution...which i liked best but only 1GB of bandwidth is free and rest are paid for and a small 30 sec video can eat up 2mb in a single view! Very similar like you tube interface. (Best is most kinda video formats are supported as input - output is flash embed script)
Only registered users can see links on this board! Get registered or login!

b) This is a server side player (free for non commercial) its coming from the developer of bitsontherun only.. Only registered users can see links on this board! Get registered or login!

c) This one has a php nuke module i think Only registered users can see links on this board! Get registered or login!

But I might also use the flash encoders from Only registered users can see links on this board! Get registered or login! or Only registered users can see links on this board! Get registered or login! to convert videos into flash from other formats (both are free)....and then use the embed flash option in FCK Editor.

I am planning to avoid the security issue by asking my members to supply me non flash format videos like wmv and then convert it into flash and incorporate in RN2.2 at the admin end.

Well i do understand this is not a complete push button thing but i guess the links will help people interested in including various video formats using FCK.

I came across a nice video guide also Only registered users can see links on this board! Get registered or login!

cheers.. Smile