Help with ImageManager and Dynamic Directories

dt · 2005-08-12 13:44:26

Hello everyone,
I have been trying to figure this out for a while and now it's time to ask for assistance

I use xinha in a multi-user environment where each user has thier own 'media' folder. I would like ImageManager to use these different folders when viewing and uploading images. What makes this difficult is that my site is ColdFusion driven.

I have tried to pass the imagedir and imageurl vars in the URL but coldfusions <CFInclude> function does not pass url variables and using <script src="phppage.php?imagedir='ThePath'&imageurl='TheURL'"> doesn't seem to work either. Can you pass url vars with <script src=''> command?

I have tried to include hidden fields and form/post them back to the page and pick the variables up using $POST_ and $GET_ in an included PHP page.

I am sure that I have been missing something, so how do I get a ColdFusion (or ASP i assume would present the same issue) variable to the config.inc.php page of ImageManager for creating dynamic directories.

On a sidenote: I read (in a closed ticket) that php session vars (for imagedir & imageurl) could be created in the xinha_Init so you would no longer have to edit the config.inc.php pages. My Xinha_Init function is within a .js page (my_config.js), can PHP run within a .js type page?

Sorry if this post is convoluted, My head hurts from banging it onto my desk over this

gogo · 2005-08-13 00:46:56

For security if you want to supply an image directory to the image manager, then it must be done in this way (snipped from the comments in image-manager.js

  //  It's useful to pass the configuration to the backend through javascript
  //  (this saves editing the backend config itself), but the problem is
  //  how do you make it so that the enduser can not sneakily send thier own
  //  config to the server (including directory locations etc!).
  //
  //  Well, we specify 3 config variables (if the first is given all 3 are required)
  //  first in backend_config we provide the backend configuration (in the format
  //  required by the backend, in the case of PHP this is a serialized structure).  We do not
  //  need to provide a complete configuration here, it will be merged with defaults.
  //
  //  Then in backend_config_secret_key_location we store the name of a key in a
  //  session structure which stores a secret key (anything random), for example
  //  when making the Xinha editor in PHP we might do
  //  <?php $_SESSION['Xinha:ImageManager'] = uniqid('secret_'); ?>
  //  xinha_config.ImageManager.backend_config_secret_key_location = 'Xinha:ImageManager';
  //
  //  Then finally in backend_config_hash we store an SHA1 hash of the config combined
  //  with the secret.
  //
  //  A full example in PHP might look like
  //
  //  <?php
  //   $myConfig = array('base_dir' = '/home/your/directory', 'base_url' => '/directory')
  //   $myConfig = serialize($myConfig);
  //   if(!isset($_SESSION['Xinha:ImageManager'])) $_SESSION['Xinha:ImageManager'] = uniqid('secret_');
  //   $secret = $_SESSION['Xinha:ImageManager'];
  //  ?>
  //  xinha_config.ImageManager.backend_config      = '<?php echo jsaddslashes($myConfig)?>';
  //  xinha_config.ImageManager.backend_config_hash = '<?php echo sha1($myConfig . $secret)?>';
  //  xinha_config.ImageManager.backend_config_secret_key_location = 'Xinha:ImageManager';
  //
  // (for jsspecialchars() see http://nz.php.net/manual/en/function.addcslashes.php)
  //

Now, this isn't going to be much help to you if you're using CF (I spent several years working in CF - all I can say is that I'm glad I don't have to any more), unless you have PHP on the same machine. As to putting php in js, well sure, what I'd do is name your file my_config.php instead of my_config.js, then you can put in <?php .... ?> areas as much as you like.

kptkip · 2005-08-13 11:07:37

Hi I made it this way:

1. I call the Website within the initialisation-script for xinha with some paramaters (i.e. editor.php?val1=1&val2=2 ...)

2. in the Script I get them via: $val1=$_REQUEST['val1'] ...

3. I define a global Javascript variable like var image_list_url = "<?php echo "val1=$val1&val2=$val2"; ?>";

4. then I open the plugin-script of the ImageManager

5. there you can see the following line (I think no.45):
'backend' : _editor_url + 'plugins/ImageManager/backend.php?__plugin=ImageManager&,
change it with:
'backend' : _editor_url + 'plugins/ImageManager/backend.php?__plugin=ImageManager&'+image_list_url+'&',

with this trick you call the real backendscript with additional parameters.

6. in this script (backend.php) you catch your params again:
$val1 = $_REQUEST['val1'];

They are used in the included file "config.inc.php".

7. Finally you take them and print them into your dir-Variables:
$IMConfig['images_dir'] = $val1;
$IMConfig['images_url'] = "http://mydomain.org".$val1;

Maybe you can adjust this according to your needs.

Good luck!

Kpt|Kip

gogo · 2005-08-13 11:23:17

kptkip wrote:

6. in this script (backend.php) you catch your params again:
$val1 = $_REQUEST['val1'];
They are used in the included file "config.inc.php".

7. Finally you take them and print them into your dir-Variables:
$IMConfig['images_dir'] = $val1;
$IMConfig['images_url'] = "http://mydomain.org".$val1;

That's a security problem right there. Now anybody can set the image directory for your copy of ImageManager to any directory they want on the server, just by calling

backend.php?val1=/some/directory/people/should/not/see

wether ImageManager can do anything useful with that I don't know, but it gives a crack for hackers to work on.

kptkip · 2005-08-13 11:30:43

Hi,

Yes, you are right!
So you check the referer wether it exists and it is you (your original script).So other guys don't see anything.

Print this directly before your variable-declaration in the backend-script.
So you check If the Caller is from your server - even if the caller doesnt transmit its own Servername as Referer:

$ownBaseURL = "http://".$_SERVER['HTTP_HOST'];
if(strstr($_SERVER['HTTP_REFERER'],$ownBaseURL)==FALSE) 
 die("You are not allowed to call this script");

Kpt|Kip

Last edited by kptkip (2005-08-13 12:21:49)

MySchizoBuddy · 2005-08-17 05:07:35

The moment i add

xinha_config.ImageManager.backend_config  = '<?php echo jsaddslashes($IMConfig)?>';
 xinha_config.ImageManager.backend_config_hash  = '<?php echo sha1($IMConfig . $_SESSION['Xinha:ImageManager'])?>';

Xinha doesn't load at all. without this code it does,
even commenting out the code it won't work. I have to delete the code for xinha to load.
this is really wacky behaviour

Last edited by MySchizoBuddy (2005-08-17 05:24:26)

niko · 2005-08-17 06:03:59

@kptkip
checking the referrer doesn't help at all - because you can send ANYTHING as referrer (you just have to modify the request-header which can be done by several tools...)

@MySchizoBuddy
please post the HTML-code that is generated by the php-script, and post any errors from the javascript-console (FF)

MySchizoBuddy · 2005-08-17 06:26:08

the php script doesn't output any code. I looked up the html and step 3 only has the default xinha_config thingy nothing more.
i used print "HelloWorld"; to see if the script is working javaconsole in FF reports an error. So the script is executing

Last edited by MySchizoBuddy (2005-08-17 06:43:11)

MySchizoBuddy · 2005-08-19 13:04:51

I'm getting backend security error
the html ais

       xinha_config.ImageManager.backend_config = 'a:2:{s:10:\"images_dir\";s:9:\"/uploads/\";s:10:\"images_url\";s:9:\"/uploads/\";}';
       xinha_config.ImageManager.backend_config_hash = '324826f7d4833a74019b3e47ad246161e8b2f94b';

kptkip · 2005-08-19 14:37:27

@niko:
Yes you are right, there is no excuse!

But to be honest it is time to think about the chance of anybody foreign knows the follwing stuff:

a) The exact URL of my script. There is no typical place in my CMS-Directory-structure to place it. I can put it anywhere. So how should he know what script he has to attack?
b) Only geek-user working with my Backend can know this - and I don't give people an acount on my system I dont trust. They can destroy my page anyway.
c) Also those guys don't know, which parameters are taken via $_REQUEST and its hard work to get this out.
d) The script only reads Images - File-types I do declare. Even if any cool guy broke through all this, what will he see?! My JPEGs in the root-directory? So what?

In my opinion there is a lower promill-chance to make something fancy.

But at the end you are right, like already told!

Because of this in my script I dont go this way either! ;-))

In my case I only transmit the ID of my client through this way. In the config.php I have added a function I took from a config-file of my CMS and there I read the path that belongs to the client.

So in my case there is no leck of security.

It was only a hint for "How do I transmit information to the ImageManager-Script?". Nothing more. What you transport is your responsibility.

Greetings
Kpt|Kip

dt · 2005-08-19 18:18:42

Thanks for your replies gogo and kptkip.

I was able to get this working by using kptkip's suggestion and was able to to so using coldfusion as xinha's config file (instead of js or PHP). This allowed me to pass the directory variable more discreetly to the ImageManager plugin. Gogo is correct that this does cause some security issues but as kptkip replied, this is a remote possibility because it appears to be very difficult for anyone to know the variable name i'm using and exploit that via the backend.php

Thanks Again!!

Last edited by dt (2005-08-19 18:20:10)

c0 · 2005-09-22 09:18:37

serialize / unserialize output is dependent on magic quotes on or off in PHP.

Use stripslashes when catching $_REQUEST['backend_configuration'] to remove back quotes.

Go here:
http://xinha.gogo.co.nz/punbb/viewtopic.php?id=421

Xinha Discussion Forum

Announcement

#1 2005-08-12 13:44:26

Help with ImageManager and Dynamic Directories

#2 2005-08-13 00:46:56

Re: Help with ImageManager and Dynamic Directories

#3 2005-08-13 11:07:37

Re: Help with ImageManager and Dynamic Directories

#4 2005-08-13 11:23:17

Re: Help with ImageManager and Dynamic Directories

#5 2005-08-13 11:30:43

Re: Help with ImageManager and Dynamic Directories

#6 2005-08-17 05:07:35

Re: Help with ImageManager and Dynamic Directories

#7 2005-08-17 06:03:59

Re: Help with ImageManager and Dynamic Directories

#8 2005-08-17 06:26:08

Re: Help with ImageManager and Dynamic Directories

#9 2005-08-19 13:04:51

Re: Help with ImageManager and Dynamic Directories

#10 2005-08-19 14:37:27

Re: Help with ImageManager and Dynamic Directories

#11 2005-08-19 18:18:42

Re: Help with ImageManager and Dynamic Directories

#12 2005-09-22 09:18:37

Re: Help with ImageManager and Dynamic Directories

Board footer