Forum Index >  glFusion >  glFusion Support New Topic Post Reply
 Media Library for fckeditor
First | Previous | 1 2 3 | Next | Last    |  Printable Version
By: muntada (offline)  Aug 10 2008 08:35 am (Read 7675 times)  
muntada

I tried to upload some images for a story through the fckeditor. It kept churning and churning away so I guessed something was wrong with permissions. I did the following where <domainname> is the actual site name:

chmod 777 /home/sites/<domainname>/web/images/library/File
chmod 777 /home/sites/<domainname>/web/images/library/Flash
chmod 777 /home/sites/<domainname>/web/images/library/Image
chmod 777 /home/sites/<domainname>/web/images/library/Media

This didn't work. In fact, this time I got an ugly pop-up that somewhere in it complained that it couldn't find library/image. Well, I realized that it was saying image not Image.

So I then did the following:

mv File file
mv Flash flash
mv Image image
mv Media media

After this, I was able to upload just fine. This was an install from the 1.0.2 tarball.

So far I have had to do permission changes for mediagallery, the image library, and of course a few other things that were checked initially. I think a script that can be run at the command line for those who have shell access, might be a great addition. I might be able to provide something to you in awhile since I am working on that for my own purposes.

Obviously, doing that through http would mean your server is misconfigured.

I thought you ought to know about the naming of the directories since a case sensitive OS will take issue with it.

________________________
Abdul Rashid Abdullah
Muntada, LLC
http://www.muntada.com

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 07/11/07
Posts: 215
Location: Herndon, VA

Profile Email Website  
  Quote
By: Geiss (offline)  Aug 10 2008 13:54 pm  
Geiss

This was an install from the 1.0.2 tarball.



Unless you have a time machine and went into the future, I assume you meant this is from the glFusion v1.0.1 tarball. Correct? :wink:

If need be, make sure to submit a Tracker issue about the directory permissions, that way we'll be sure they get looked at again. Big Grin

Thx!

Eric


Forum Active Member
Active Member

Group Comfort
Level:
: +58

Registered: 02/15/07
Posts: 2097
Location: Boise, Idaho

Profile Email Website  
  Quote
By: Anonymous: filipino ()  Aug 10 2008 16:52 pm  
Anonymous: filipino

Eric ...


not sure if this is related. If I try to upload an image from local machine (not MG entered codes) I get the loader bar just sitting there - I have to cancel out to escape. This has actually happened since GL 1.4.1 with FCKeditor but as I use MG to illustrate my posts I have never bother to report before. I will say the problem does seem worse since GLF 1.0.1


Wayne


PHP Formatted Code
ALERT - Include filename ('../../../../../lib-common.php') contains too many '../' (attacker '10.10.10.9', file '/www/xxx/public_html/fckeditor/editor/filemanager/connectors/php/config.php', line 25), referer: http://www.xxx.org/fckeditor/editor/dia ... image.html
[Sun Aug 10 22:34:09 2008] [error] [client 10.10.10.9] ALERT - Include filename ('../../../../../lib-common.php') contains too many '../' (attacker '10.10.10.9', file '/www


       
  Quote
By: muntada (offline)  Aug 10 2008 17:27 pm  
muntada

Yes, I meant 1.0.1. Mr. Green

I am submitting a tracker now.

Filipino, try the fixes I did and see if it works for you.

________________________
Abdul Rashid Abdullah
Muntada, LLC
http://www.muntada.com

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 07/11/07
Posts: 215
Location: Herndon, VA

Profile Email Website  
  Quote
By: Geiss (offline)  Aug 10 2008 17:33 pm  
Geiss

Wayne,

I've tested the FCKeditor image upload for both regular images and MG autotags both here and on my test site. Everything works fine on both installs.

The site here is hosted by BlueHost on a Linux environment, and I am using XAMPP on Windows on my home environment. I haven't run into directory permissions issues on either one.

I did log on to your site, and can replicate the issue. Using the FCKeditor image upload button, I can get through choosing an image to upload, but when I hit the Send it to Server button, it hangs on the "processing" animation. So I'm sure it is something with your server setup, or the case-sensitive description above.

Either way, if Muntada's fixes above don't work, I'm sure Mark will be able to shed some light on it! Big Grin

Muntada: Thx for taking the time to share your experiences and submitting a tracker issue! Big Grin

Thx!

Eric


Forum Active Member
Active Member

Group Comfort
Level:
: +58

Registered: 02/15/07
Posts: 2097
Location: Boise, Idaho

Profile Email Website  
  Quote
By: Anonymous: filipino ()  Aug 10 2008 18:05 pm  
Anonymous: filipino

I will keep looking and post findings here.

Wayne


       
  Quote
By: Anonymous: filipino ()  Aug 10 2008 18:20 pm  
Anonymous: filipino

btw Line 25 referred in the errror

PHP Formatted Code
/public_html/fckeditor/editor/filemanager/connectors/php/config.php', line 25)



reads

PHP Formatted Code
require ('../../../../../lib-common.php');



Wayne


       
  Quote
By: Mark (offline)  Aug 10 2008 18:27 pm  
Mark

Wayne, This is another error caused by your Subhosin PHP Security patch. It is not caused by glFusion or the FCKeditor. One of the options of the Subhosin PHP security patch is to dis-allow requests that include a certain number of ../../ in the path. The idea being that too many is probably an attacker trying to read your passwd file or some other system file.

You really need to spend some time understanding all the options available in the Subhosin patch and make sure you have it configured properly or can at least recognize when it is causing the problems.

Thanks!
Mark

Forum Admin
Admin

Group Comfort
Level:
: +110

Registered: 10/21/05
Posts: 6257
Location: The Great State of
Texas

Profile      
  Quote
By: Anonymous: filipino ()  Aug 10 2008 18:28 pm  
Anonymous: filipino

Eric

I changed line 25 above message to /www/domain/public_htm and it cured the suspended animation you saw and the file uploaded just fine.

Eric I have strange permissions set on my server I use domain:www and set to 3775 for site and config so I know my permissions are set ok for the whole site.

Wayne


       
  Quote
By: Anonymous: filipino ()  Aug 10 2008 18:32 pm  
Anonymous: filipino

Hi Mark

Hope you had a good week away with the family.

cough, cough I actually have that bit turned off in Suhosin but cured it by putting the path in. SuSE has been very helpful and told me what to turn off (rem out) in php.ini to make things less severe.

Wayne

Quote by: Mark

Wayne, This is another error caused by your Subhosin PHP Security patch. It is not caused by glFusion or the FCKeditor. One of the options of the Subhosin PHP security patch is to dis-allow requests that include a certain number of ../../ in the path. The idea being that too many is probably an attacker trying to read your passwd file or some other system file.

You really need to spend some time understanding all the options available in the Subhosin patch and make sure you have it configured properly or can at least recognize when it is causing the problems.

Thanks!
Mark


       
  Quote
By: Anonymous: filipino ()  Aug 10 2008 22:18 pm  
Anonymous: filipino

Mark

Earlier in the week SuSE Support suggested I ask you which one/s of this list should be removed so that GLFusion will still work without complaining. A week or two ago we deduced that phpinfo should be removed, although it is still in this list.

PHP Formatted Code
suhosin.executor.func.blacklist=exec, shell_exec, system, passthru, show_source, proc_open, popen, highlight_file, phpinfo, ini_set, ini_restore


There is also a

PHP Formatted Code
suhosin.executor.func.whitelist=


Should anything be placed here.

I am sure I am not the only server running Suhosin so hopefully your reply will act as a 'aide d' memoire' for those people also.

-Wayne


       
  Quote
By: jmucchiello (offline)  Aug 11 2008 03:18 am  
jmucchiello

glFusion should only need ini_set out of that list.

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 05/15/07
Posts: 445

Profile Email    
  Quote
By: Anonymous: filipino ()  Aug 11 2008 05:21 am  
Anonymous: filipino

Many thanks will set all the others to rem and set ini_set to blacklist.

Appreciate your reply.

Wayne


       
  Quote
By: Anonymous: filipino ()  Aug 11 2008 05:37 am  
Anonymous: filipino

Unfortunately setting set_ini in the blacklist creates the 'This page cannot be rendered error' with the following error in the Apache error log:

PHP Formatted Code
ALERT- function within blacklist called: ini_set() (attacker 'X-FORWARDED-FOR not set', file '/www/xxxx/public_html/lib-common.php', line 168)
 



Line 168 is the middle one of this sub:

PHP Formatted Code
  if( ini_set( 'include_path', $_CONF['path_pear'] . $separator
                                 . $curPHPIncludePath ) === false )
    {
        COM_errorLog( 'ini_set failed - there may be problems using the PEAR classes.', 1);
 



I remmed the suhosin line again and all works again.

Wayne


       
  Quote
By: Mark (offline)  Aug 11 2008 06:09 am  
Mark

Wayne, I believe Joe was stating that glFusion needs to call ini_set(), so it should not be in the blacklist.

The Suhosin PHP Hardening Patch has over a hundred configuration options. I'm no expert on the patch, so I can't really give you configuration settings that will meet your specific needs.

One thing that has been consistent when it (the Patch) causes your site to fail is that each log entry starts with ALERT. When you see those, it is not a bug in the CMS, it is the Suhosin Patch causing the problem.

You probably need to do a little trial and error to make all this work. Go through each configuration setting, decide if that feature is important to you, then determine the proper setting to provide additional security for your site, but still let PHP applications do what they need to do. The problem with these types of security patches is they will make perfectly legal PHP code no longer work by disabling features of PHP. Whenever you do that, it is bound to cause some headaches.

I wish I had a simple answer, but unfortunately, there really isn't one. You will need tweak your environment as you run into the problems to make things work properly.

Thanks!
Mark

Forum Admin
Admin

Group Comfort
Level:
: +110

Registered: 10/21/05
Posts: 6257
Location: The Great State of
Texas

Profile      
  Quote
New Topic Post Reply

First | Previous | 1 2 3 | Next | Last

 All times are CDT. The time is now 04:15 am.
Normal Topic Normal Topic
Locked Topic Locked Topic
Sticky Topic Sticky Topic
New Post New Post
Sticky Topic w/ New Post Sticky Topic w/ New Post
Locked Topic w/ New Post Locked Topic w/ New Post
View Anonymous Posts 
Able to Post 
HTML Allowed 
Censored Content