Skip to content

jonocode – a developer's blog

I moved! –> http://pressreload.com

So you’ve managed to integrate FCKEditor into Symfony for use with your administrative console.

Problem: FCKEditor has a file uploader for media files.  Images, documents, Flash files, that sort of thing.  It’s run off a PHP connector.

All that a hacker needs to do is enter a URL like so:

/js/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php

…and he or she is able to upload media files.

You’ve secured your application using security.yml, and perhaps the sfGuard plugin.  But what about that file uploader?  It isn’t launched by one of your controllers.  It has its own.

Solution: Turn the PHP connector in FCKEditor into a controller.

1.  Open up the PHP connector’s config.php at:

web/js/fckeditor/editor/filemanager/connectors/php/config.php

2.  Turn it into a Symfony controller.  Insert the following at the top of the file:

define('SF_ROOT_DIR',    realpath(dirname(__FILE__).'/../../../../../../..'));
define('SF_APP',         'backend');
define('SF_ENVIRONMENT', 'prod');
define('SF_DEBUG',       false);

require_once(SF_ROOT_DIR.DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.SF_APP.DIRECTORY_SEPARATOR.'config'.DIRECTORY_SEPARATOR.'config.php');

if ( !sfContext::getInstance()->getUser()->isAuthenticated() ) {
  exit();
}

Make sure you enter the correct SF_APP, and a relative path to SF_ROOT_DIR.

If the user isn’t authenticated, I simply exit.  The reason I don’t redirect to a nice “session timed out” page is because the PHP is called from FCKEditor’s Javascript.  If anyone has a more elegant solution, please comment!

Advertisements

Tags: , , ,

%d bloggers like this: