security questions

Hi,
I noticed that there are different parameters available if right-clicking on a picture in kfm extended folder view. I guess it depends on the file / directory permissions. Is this right?

I have another question about security: HTML Editor installs itself always in the root directory which I find problematic. When I used FCKeditor manually I always installed it within my /admin (htaccess) protected subdirectory.

What would be your advice to secure HTML Editor? If someone from outside guesses this link:
browser.php this person could do a lot of trouble there.

The problem is: my admin subdirectory is (htaccess) protected as a subdirectory of root. HTMLEditor resides in its own subdirectory of root as well and is only used by the admin (in my case). This makes it difficult to use the same protection strategy via htaccess because it would mean to use two htaccess - protected directories.

How should I proceed ? Use security assist? Which subdirectories / files should be protected then?

Please let me know,
thanks

The options that you see when you right click should be based more on the file or folder and the type that it is. I think you will have these same options available even if you don't have the permissions for them, they just would not function if the permissions were not correct. I'm not sure that you would ever encounter that issue though as the permissions should already be in place if you can interact with the file manager.

The HTML Editor files will always be created in the root of your DW site, there is no way to control this. One way that I have gotten around limitations like this is to have a separate site defined for the admin area, specifying the admin folder as the root of that site. This way you can add in the html editor directly to the admin area of your site.

The ability to restrict access to the editor files based on a Security Assist rule is possible from within the HTML Editor interface.

You will first want to ensure that your Security Assist pages are in place and working and that you have a properly crafted Security Assist access rule. You would then edit the HTML Editor instance that is on the page and in the Global File Upload Settings area click on customize.

In here at the bottom of this interface is the options for restricting access to the editor files based on your Security Assist rules, just select your rule that will restrict access to only you.

I've got something strange here that I am not figuring out. I installed an instance of HTMLEditor with Advanced File Management. But it is confused about my Security Assist rules selected in the Global settings interface.

Here's the details. The is an insert page within a CMS created a long time ago using DA and SA. It's been secured using an Admin login rule and the page itself will deny access if you are not logged in. However, if I am logged in and try to upload a file using HTMLEditor and the fckeditor "Upload File" tab, it denies me and a error drops down saying that it is disabled in the config.php.

If I have it set to "Everyone" it works. And if I have it set to my "Administrator" rule it fails. But here's the weird part. If I have it set to "Administrator" only, but then I log out, and then click upload, it works. I did this by opening a new window and then logging out and then returning to the instance of the tabbed "Browse Server" window that was still open).

The HTMLEditor folder is in my root directory. In my case (/public_html/HTMLEditor/) and my insert page is in (/public_html/CMS/admin/insert.php)

The upload knows where the correct path is. So I am assuming it is something I am overlooking with my SA rules. Keep in mind, the rule I am using is the exact same rule that denies access to the page the editor is on, if not logged in.

By the way, this rule is a session that checks the global.php page where the admin username and password is located. So the HTMLEditor code might not know where to compare the username and password. Is that a possibility? Should I add the

<?php require_once( "../Globals/globals.php" ); ?>

to some page within the HTMLEditor folder?

I noticed that within the tables created by HTMLEditor, there is a parameters table with username "" and password "". Should I edit this?

Any thought?

Thanks,
TroyD

How exactly is your Admin rule defined? If it is based on a variable and the value is not available or the value is not matching the rule will restrict access.

As a test of this you should try printing out the value that your rule uses on the page to determine what this value is when you are denied as well as when you logout and gain access. You should put this on the page you are logging out with so you can see it before and after you logout. When you test it bring up the browse server interface, open your new window and check what the value of the variable is, then go and try to upload. This should fail, then do it again but logout this time and confirm the value of the variable.

Please get back to us with what you discover, if you have any questions about any part of this please let us know.

Eric,

I'm honestly not sure how to print out the value for my rule. I'll keep looking for the code for that, but just in case I can't find it, could you tell me?

Thanks,
Troy

To get this value to be printed on the page you will need to know the names of the session variables that you are using in your Admin rule. So the first step would be to go to the rules manager and edit the Admin rule so you can see the values used. You should record these values to a new page temporarily.

Next you could either use the bindings panel and expand the session variables to find the values used in your rule and drag and drop these variables onto your page where you would like to see them, you may want to type in some text in front of where you put them so you will know if the values are blank.

Here is an example of what this might look like in the code view on your page:

The value of the session variable is: <?php echo (isset($_SESSION['your variable'])?$_SESSION['your variable']:"" ?>

You would of course need to make sure that you use the name of your session variable in the brackets instead of the example.

Eric,

Thanks for the reply but you sort of lost me.

Here's what my rules information provides. This is based on a login rule that is compared to the login listed in the globals.php file.

Rule Edit-
Allow if
Value:

<?php echo $_SESSION['AdminLogin']; ?>

Criteria: =
Compare to:

<?php echo $GLOBALS['WAGLOBAL_Admin_Password']; ?>

So each page I have this rule assigned to has a require_once of the global.php file. This is the case for the page with the HTMLEditor form on it but not any of the files within the HTMLEdit folder.

The name of this rule is "Administrator" and I simply selected it from within the security section of the HTMLEditor Global Settings.

When I tried printing the "value:" portion from above, it simply shows the password.

Thanks,
TroyD

Thanks for the info, it helps. I think this may be due to either the rule not getting added to the HTML editor pages or the rules are there but the values that are being compared are not present.

The rules for access should be written to the following HTML editor pages:

HTMLEditor > editor > filemanager > browser > default > browser.php
HTMLEditor > editor > plugins > kfm > configuration.php

Take a look at these pages to see if you can spot the rule applied to the page, also make sure that the include file references are on these pages. If you can see that the rules are applied to the page correctly the next thing to do is to print out these values that the rule uses to ensure that they are correct.

To do this you would add this code to the top of these pages before the access rule:

print("The value of the adminlogin var is: " . $_SESSION['AdminLogin'] . "<br/>");

print("The value of the global pass is: " . $GLOBALS['WAGLOBAL_Admin_Password']);

This should let us know the values of these vars when the pages are being accessed. Please post back with this info so we can help you uncover what the problem may be.