TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
Load Kohana from 'external' script/app
  • dougal2dougal2
    Hi,
    I'm using FCKeditor with my Kohana app, and want to secure it's filemanger script.
    For this I'm going to need to include some part of Kohana and run it so that I can do a quick user login/credentials check.

    What's the best way of doing this ?

    (FYI: FCK file manager vulnerability is outlined here: http://www.fckeditor.net/forums/viewtopic.php?f=6&t=11332 )
  • plastik74plastik74

    Hi dougal2, I had a similar issue with the MCFileManager extension to TinyMCE. I'm really not convinced I've done it in the best way so I'd be interested to hear if there are better approaches and if this is insecure, but I created a script to check authentication when the file manager was launched and then set the result in a session variable which MCFileManager had access to and could check. The script used base64_decode($_COOKIE['kohanasession_data']), then extracted the username and password (using a reg exp) which I then checked against my database. I'm using the ORM driver for Auth and the cookie driver for sessions and this approach seemed to work fine for me.

    Hope this is of some use and I'm definitely curious if there are better ways to deal with this issue as my effort was the desperate effort of a relative noob :)

  • dougal2dougal2
    *BUMP*

    anyone ?
  • dougal2dougal2
    OK, I figured out a way... here's my take.

    Modify the bottom of public_html/index.php to read

    // Initialize.
    if (defined('LOAD_FROM_EXTERNAL'))
    require APPPATH.'../load_kohana_ext'.EXT;
    else
    require SYSPATH.'bootstrap'.EXT;


    Copy kohana/system/bootstrap.php to APPPATH/../load_kohana_ext.php, and modify by commenting out routing + system.execute + system.shutdown:

    // Prepare the system
    Event::run('system.ready');

    // Determine routing
    //Event::run('system.routing');

    // End system_initialization
    Benchmark::stop(SYSTEM_BENCHMARK.'_system_initialization');

    // Make the magic happen!
    //Event::run('system.execute');

    // Clean up and exit
    //Event::run('system.shutdown');



    In your external script, chdir() to public_html, define LOAD_FROM_EXTERNAL, include index.php, and then check logged_in() from Auth:

    chdir('../../../');
    define('LOAD_FROM_EXTERNAL', 1);
    include "index.php";

    echo (Auth::instance()->logged_in('login') == 1)?"Yes":"No";
  • dougal2dougal2
    More specifically for FCKEditor, in public_html/media/js/fckeditor/editor/filemanager/connectors/php/connector.php modify the top of the file like so:


    require('./config.php') ;
    require('./util.php') ;
    require('./io.php') ;
    require('./basexml.php') ;
    require('./commands.php') ;
    require('./phpcompat.php') ;

    // DH: Hook into Kohana and check User session
    chdir('../../../../../../../');
    define('LOAD_FROM_EXTERNAL', 1);
    require('index.php');
    $Config['Enabled'] = $Config['Enabled'] && Auth::instance()->logged_in('admin'); // or perhaps check 'file' role ?

    if ( !$Config['Enabled'] )
    SendError( 1, 'This connector is disabled. Please check the "editor/filemanager/connectors/php/config.php" file' ) ;
  • LewisLewis

    I know this is an old thread, but for reference here's a more elegant solution.

    hooks/kohana_external_mode.php:

    <?php

if (defined('KOHANA_EXTERNAL_MODE') && KOHANA_EXTERNAL_MODE)
{
    Event::clear('system.routing');
    Event::clear('system.execute');
    Event::clear('system.shutdown');
}

?>

    Then simply do:

    <?php
define('KOHANA_EXTERNAL_MODE', true);
include('../path/to/index.php');
?>

    Remember to enable hooks.

Add a Comment