KCFinder does not allow file upload/browse Fix #519

Open
devaabhik opened this Issue Aug 29, 2015 · 1 comment

Projects

None yet

2 participants

@devaabhik

As per regular installation KCFinder Upload/Browse does not work, unless setting kcfinder/confs/config.php $_CONFIG = array( 'disabled' => false), which is insecure and allows anybody to upload files to server. This being a serous security treat and vary common a know Exploit: a No No!...

The problem:

Kcfinder, does not extract seesion infomation passed by Dada Mail Session.pm.

The fix:
(Apply just after installing but before first use!!. Just right after the installer-disabled folder is created.)

a) Edit:

".dada_files/.config/ .dada_config"
in the root of your site.

Find:
"session_name => 'PHPSESSID',"
under "$FILE_BROWSER_OPTIONS",
Change Seesion name to: KCFINDER:
"session_name => 'KCFINDER',"
Commit changes.

b) Add the following lines at the end of kcfinder´s botstrap.php.

"public_html/dada_mail_support_files/kcfinder/core/bootstrap.php"

Just after the line:
// PUT YOUR ADDITIONAL CODE HERE

Code to include:
//----------------------------------------------------------
// DADA MAIL INTEGRATION CODE

// set the Cookie name to KCFINDER
$cookie_name = "KCFINDER";

if ( $_COOKIE[$cookie_name] != $cookie_name ) {
$current_id = session_id ( $_COOKIE[$cookie_name] );
}

// set the Session name to KCFINDER
session_name( "KCFINDER" ); // Sets the name to KCFINDER

// Retrive the current Session ID to form file name
$current_id = session_id ();

// Find the session file (This implies Standard session directory as per standard DadaMail install)
$file='../../../.dada_files/.tmp/php_sessions/sess_' . $current_id ;

// Read Stored Session Data
$contents = file_get_contents ( $file ) ;

// Start Session here for further process.
session_start();

// Populate Session Array with Session file data
session_decode ( $contents ) ;

// As we have set session.pm disabled to false...
if ( $_SESSION['KCFINDER'] ['disabled'] == 'false' )
{ $_SESSION['KCFINDER'] ['disabled'] = "0" ;
} else {
// Die with out too verbose information
die("Problems with Installation... Aborting");
}
// ------------------ END OF DADA MAIL CODE ----------------

Finally. If you are using CKEditor, very like at start-up, you would still get the following error:

“ckeditor_comment_list: SyntaxError: Unexpected Token <”

That is because the dada config tries to start a CKEditor plugin, which has not been configured, and which does not add to much to the editor, to get rid of it:

open:

"public_html/dada_mail_support_files/ckeditor/dada_mail_config.js"

and delete line 55: " config.extraPlugins = 'strinsert';"

That´s it.

You should be able, to browse and upload images, with no complaints form KCFinder or KCEditor.

@justingit
Owner

I'll check this out the next time I have a problem, but I just want to preface this with, "KCFinder does not work with Dada Mail for you" - there's something about your install that's not allowing it to work. On a stock Dada Mail, without any fiddling, KCFinder works just fine for me, and most all of the clients I install Dada Mail on, and support,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment