TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
Forums are in read-only mode while we transition to new software.
Load Kohana from 'external' script/app
  • Hi,
    I'm using FCKeditor with my Kohana app, and want to secure it's filemanger script.
    For this I'm going to need to include some part of Kohana and run it so that I can do a quick user login/credentials check.

    What's the best way of doing this ?

    (FYI: FCK file manager vulnerability is outlined here: http://www.fckeditor.net/forums/viewtopic.php?f=6&t=11332 )
  • Hi dougal2, I had a similar issue with the MCFileManager extension to TinyMCE. I'm really not convinced I've done it in the best way so I'd be interested to hear if there are better approaches and if this is insecure, but I created a script to check authentication when the file manager was launched and then set the result in a session variable which MCFileManager had access to and could check. The script used base64_decode($_COOKIE['kohanasession_data']), then extracted the username and password (using a reg exp) which I then checked against my database. I'm using the ORM driver for Auth and the cookie driver for sessions and this approach seemed to work fine for me.

    Hope this is of some use and I'm definitely curious if there are better ways to deal with this issue as my effort was the desperate effort of a relative noob :)

  • *BUMP*

    anyone ?
  • OK, I figured out a way... here's my take.

    Modify the bottom of public_html/index.php to read

    // Initialize.
    if (defined('LOAD_FROM_EXTERNAL'))
    require APPPATH.'../load_kohana_ext'.EXT;
    else
    require SYSPATH.'bootstrap'.EXT;


    Copy kohana/system/bootstrap.php to APPPATH/../load_kohana_ext.php, and modify by commenting out routing + system.execute + system.shutdown:

    // Prepare the system
    Event::run('system.ready');

    // Determine routing
    //Event::run('system.routing');

    // End system_initialization
    Benchmark::stop(SYSTEM_BENCHMARK.'_system_initialization');

    // Make the magic happen!
    //Event::run('system.execute');

    // Clean up and exit
    //Event::run('system.shutdown');



    In your external script, chdir() to public_html, define LOAD_FROM_EXTERNAL, include index.php, and then check logged_in() from Auth:

    chdir('../../../');
    define('LOAD_FROM_EXTERNAL', 1);
    include "index.php";

    echo (Auth::instance()->logged_in('login') == 1)?"Yes":"No";
  • More specifically for FCKEditor, in public_html/media/js/fckeditor/editor/filemanager/connectors/php/connector.php modify the top of the file like so:


    require('./config.php') ;
    require('./util.php') ;
    require('./io.php') ;
    require('./basexml.php') ;
    require('./commands.php') ;
    require('./phpcompat.php') ;

    // DH: Hook into Kohana and check User session
    chdir('../../../../../../../');
    define('LOAD_FROM_EXTERNAL', 1);
    require('index.php');
    $Config['Enabled'] = $Config['Enabled'] && Auth::instance()->logged_in('admin'); // or perhaps check 'file' role ?

    if ( !$Config['Enabled'] )
    SendError( 1, 'This connector is disabled. Please check the "editor/filemanager/connectors/php/config.php" file' ) ;

  • I know this is an old thread, but for reference here's a more elegant solution.

    hooks/kohana_external_mode.php:

    <?php
    
    if (defined('KOHANA_EXTERNAL_MODE') && KOHANA_EXTERNAL_MODE)
    {
        Event::clear('system.routing');
        Event::clear('system.execute');
        Event::clear('system.shutdown');
    }
    
    ?>
    

    Then simply do:

    <?php
    define('KOHANA_EXTERNAL_MODE', true);
    include('../path/to/index.php');
    ?>
    

    Remember to enable hooks.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion