FCKEDITOR security issue - security

I run FCKEDITOR 6.x-2.3 on a drupal 6 website, a bunch of hacker team worked to see if there is any security issue on website and they found some vulnerabilities with FCKEDITOR, an anonymous user can upload files to the server using some uploader like this one to the server.
for an anonymouse user I can access direcotries such as:
sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html
sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/frmupload.html
to upload my uploader file. is there a way to fix it? or I should forget about using FCKEDITOR or any other wysiwyg editors?

You can update your FCKEditor module (check: http://drupal.org/node/1482442)
Or,
you can use CKEditor instead of FCKEDITOR. See: http://drupal.org/project/ckeditor
I have faced similar security issue using CKEditor. And I have following the below steps:
Here is the process to update ckeditor and ckfinder:
Update CKeditor version 6.x—1.13
Download CK Finder latest version 2.3
Unzip the ckfinder in sites/all/module/contrib/ckeditor/ckfinder
Open /all/module/contrib/ckeditor/ckfinder/config.php
Comment out the CheckAuthentication() function
Add the below two lines
$baseUrl may differ depends on products.
Open /contrib/ckeditor/ckfinder/config.js
add the below lines:
Note: I would like to request all to prepare a set of allowed and denied extensions
One more additional issue: Add cookie_domain in sites/default/settings.php file.

Related

installing chinese character support for wkhtmltopdf on CloudControl

I have a production/test environment deployed on cloudcontrol that uses wkhtmltopdf in order to create a pdf from an html page. this html page may contains chinese characters though, and in this case once converted these characters simply disappear.
According to this question I should perform the installation of some fonts packages, but since I don't have a direct console access to Cloudcontrol this solution won't fit for me.
Before I escalate this request to the CC support team, did anyone had the same problem already?
If anyone is interested, I fixed this issue by putting the 2 *.ttc files recommended in this post and extracted from the tar.gz retrieved here (microhei) and here (zenhei) into my git repository in a folder named .fonts/ and including this folder in Gruntfile.js in the same list of the other backend files under copy/dist/files.
Lat note, regarding zenhei I did not copy the .fonts.conf file as well but only the .ttc

Orchard 1.8 Package Installation Failure

I am trying to install a package (oForms) with a new Orchard 1.8 installation, but receiving the following error:
"Package installation failed: There was an error installing the requested package. This can happen if the server does not have write access to the '~/Modules' or '~/Themes' folder of the web site. If the site is running in shared hosted environement, adding write access to these folders sometimes needs to be done manually through the Hoster control panel. Once Themes and Modules have been installed, it is recommended to remove write access to these folders."
This seemed rather straightforward, however my host has confirmed permissions are fine (and even added Everyone/Full Control to the folder), so I'm lost and appears to be happening with all modules from the Gallery, not just oForms. I changed the Config/log4net.config file to log everything, and I don't see anything specific in there except where it logs the same message above. Nothing outside of that stands out at all.
Is there a way to see why this is failing? Or, if not, is there a way to get the module and install it manually? I tried to download from the gallery, but it's just a NuGet package so I'm not sure how to take that and grab the raw module files.
You can use a program like 7zip to unzip the nuget package, then copy in the module manually yourself.
As for the permissions, when adding a new permission to the folder use:
IIS AppPool\name of your application pool
I also had this exact error message when installing modules from the gallery, and it took me a while to figure out what was happening. I made new installations, copying over files one-by-one, and eventually found the culprit. For my case anyways...
For me, it was all due to a bad formatting in my custom Theme. Specifically the Theme.txt file. The line where is says Version:, I had it formatted without any "."
Good:
Version: 1.0
BAD:
Version: 1
Yes, doing this simple mistake prevented me from installing Modules.

Trouble syncing file-based templates to database using MSM and config bootstrap

Had started my typical EE build (using a bootstrapped config) for a client when they announced they wanted another additional site using the MSM module (le sigh).
So added the MSM module, I commented out the $config['site_url'] and $config['cp_url'] and set those in index.php instead using $assign_to_config.
That's when I discovered this bug where MSM config file settings are not recognized, which is a pain but I can work around it. However, I noticed that when I created the secondary site, it wouldn't recognise my custom location for add-ons and so I had to add that to index.php as well to $assign_to_config['third_party_path'] = "../assets/third_party/";.
Then I discovered that when I create or modify a template file, it won't automatically sync and so I need to manually do that each time which is a real PITA.
Why would my templates not be syncing to the database? Is this related to the MSM config bug?
While I haven't tried bootstrapping the third party path yet, I've definitely been able to bootstrap the template path for MSM sites... What bootstrap method are you using?
Are your sites on subdomains or subfolders? I've only had experience with subfolders so perhaps that makes a difference (although it shouldn't).
Could you maybe walk through in a bit more detail what's happening? Your first site (site_id = 1) templates sync automatically from filesystem edits, but your second site does not? Yet if you go to CP > Design > Synchronize Templates, that works?
The $assign_to_config portion of MSM setup is definitely a weakspot when it comes to bootstrapping... I wonder if we need to work up an additional bootstrap for MSM+CP environment, where it looks at the cp cookie ($_COOKIE['exp_cp_last_site_id']), and sets values based on that.
It may be helpful if you let us know which bootstrap you are using. For example, if you look at this bootstrap the site_url and cp_url are set using the HTTP_HOST server variable, so this shouldn't clash with your MSM install (and multiple domains) at all.
Perhaps you could try using that boostrap file instead, and see if it fixes your issue with template syncing?
Finally, if you're going to use the EE template manager, you don't really need to store templates as files. Conversely, if you want to save templates as files, it's probably much easier editing them using Sublime Text or another editor, rather than the clunky built-in editor (which is really only useful for small/simple changes).

apex 4.0.1 not working

I recently upgraded to apex 4.0.1
but when I access 127.0.0.1:8080/apex and login it the page doesn't respong
and another thing ... the page is supposed to have some photos but it doesn't appear
so when I view the source code of the page and open any of the JS files / photos directories / css files
I get this
404 Not found
Not found
The requested URL /i/css/apex_4_0.css was not found on this server
I have ubuntu 11.04
There's two steps to the upgrade. The first is (mostly) installing the APEX_040000 objects. The second uploads a bunch of files into the database.
Make sure you carried out the second step correctly as documented
It is two steps because, if you are using the Oracle Apex Listener or HTTP Server then you'd put those files on a file system somewhere, rather than in the database.
It sounds like your config file is messed up in some way. Check the configuration to verify that it is directing traffic on port 8080 to the correct directory. Here is a link to how to find the Apache config file and how to read it:
http://www.unix-girl.com/geeknotes/apache_virtual_host_conf.html
The only other thing I can think of is that the directory does not exist. Maybe it got deleted or moved.

Need to change template styles in Liferay

I want to change look and feel of liferay using css. i am very new to liferay. Can any give me any idea to do the changes. Thanks in advance
The step-by-step seems complicated, but it's not that bad .....
1a) download and unpack the plugins sdk for the version of liferay you want to use. All the downloads are on the sf page http://lportal.sourceforge.net/
1b) make sure you have the latest version of ant and the JDK version that matches your liferay version (1.5.x or 1.6.x)
2) there are a few main folders in the kit. Change into the "themes" folder and run the create script there in this format (on linux or mac you'll need to make the .sh files executable)
c:\liferay\plugins\themes >create my-name "My Theme Description"
linux/mac $>./create.sh my-name "My Theme Description"
This will create a skeleton theme in a folder called my-name-theme and a folder within it called _diff.
Make whatever modifications you want WITHIN THE _diff FOLDER. (except changes to the properties file within WEB-INF)
Once you've made changes run "ant compile" from within the my-name-theme folder and the sdk will run through it's paces and spit out a .war file to the "dist" folder in the sdk root. You can upload this to the site using the plugin installer
OR ... if you configure the sdk to know where your development server is you can run "ant deploy" from the theme's folder and let the autodeploy magic in liferay do the work.
Once the theme is installed just assign it using the "look and feel" tab in the "manage pages" tool.
TIP : Make most of your changes to the custom.css file .... keeps things easy to upgrade.
TIP : Development is really slow for CSS if you do this for every change .... so if you're running a dev server add a style tag just before the end of the head tag that points into your _diffs/css folder. href="file:///...../_diffs/custom.css". This way whatever edits you make will be compiled into the next version of the war and will override the currently installed version without reuploading. make sure to remove the link before you put it on a live server.
The liferay.com documentation is great and there's a "themer's guide" i can't find the link to right now that got me started.
We've done a number of LifeRay customizations for various companies but your question is too vague for us to answer. If you are just looking to change a few colours and fonts then editing the CSS is fine, but if you are looking to completely change the layout then you need to delve in to the template files and start working with the XHTML.
Provide more details and we might be able to prod you in the right direction :D
IMO theme development for liferay can be quite slow to start with. I have found two different approach quite useful. It works for me, might work for you as well.
If you edit files inside _diff folder AFAIK you have to deploy every
time two see the changes , which can be quite frustrating for
front-end developers. An approch can be edit the css file directly
in tomcat/themename folder. Copy the changed every couple of hours
or so in the _diff folder and deploy. In my case the CSS stays in
C:\liferay-portal-6.1.0\tomcat-7.0.23\webapps\\css\
Also if you are aware liferay supports Sass now. So it you are writing Sass "deploy" may be you most likely option. But I have also figured out a way to speed up that process. Install ruby (if you are in windows, in Mac its preinstalled) > Install Compass > and create a blank compass project. Start "compass watch" . Open bothe scss file and the compiled css file in your IDE. "compass watch" will poll for changes in your scss file and put the compiled output in the css file. Every while you may copy the css output in the css file in theme folder or directly in firebug or web-inspector in chrome/safari.
I have found these are faster dev practice than deploying everytime or completely developing on firebug/web-inspector.
Also if anyone know of better method, specially things like only CSS/JS deploy (or simple copy for that matter if one is not writing Scss), please let us know.
You can make your custom style with the liferay plugins sdk, which can be found here: http://www.liferay.com/downloads/liferay-portal/additional-files
There is a themes folder included, in which you can create a new theme. Liferay generates here a basic theme as a boilerplate, which then you can customize and deploy to your liferay installation.
You can
mvn archetype:generate
then select “liferay-theme-archetype (Provides an archetype to create Liferay themes.)” et voilà you are ready tu customize your theme.
Best practice recommends that you make all your custom themes using only the custom.css file, and that you not override any of the templates unless absolutely necessary. This will make future upgrades far easier, as you won't have to manually modify your templates to add support for new Liferay features.
Deploy the newly created theme using
mvn clean package liferay:deploy

Resources