Tiny_MCE - Insert/Upload images into letters

Hi, 

I found a simple yet effective plugin that adds the ability to actually upload and insert images into "letters". The default function now is only embedding from an external URL.
  

What do you need? Dolphin 7.1 & JustBoil.me Images which you can download from http://justboil.me/
  

The instructions are simple, just extract the zip file and upload the jbimages folder to your boonex installation of Tiny_MCE:
  

plugins/tiny_mce/plugins
  

Decide where you want to store all the uploaded images, make the directory in your dolphin installation (I chose jbimages off the root of my install) and then edit and set your options in:

plugins/tiny_mce/plugins/jbimages/config.php

While you're in there, adjust any of the other options you want, they're described quite clearly.
  

After creating the folder I created an .htaccess file with the following in it so no one can browse the images:

Options -Indexes<FilesMatch "^.*.php|.*.php5$">ForceType application/x-httpd-php-source</FilesMatch>

templates/base/scripts/BxBaseEditorTinyMCE.php

Look for this:

   protected static $CONF_STANDARD = "                        plugins: 'autolink,lists,inlinepopups,jbimages,media,paste,fullscreen',                        width: '100%',                        height: '270',                        theme: 'advanced',                        theme_advanced_buttons1: 'bold,italic,underline,removeformat,|,bullist,numlist,|,justifyleft,justifycenter,justifyright,|,undo,redo,|,blockquote,formatselect',                        theme_advanced_buttons2: 'hr,link,unlink,jbimages,media,|,fullscreen,cleanup,pastetext,code',                        theme_advanced_buttons3: '',

And this:

   protected static $CONF_FULL = "                        plugins: 'autolink,lists,table,inlinepopups,jbimages,media,searchreplace,print,paste,fullscreen',                        width: '100%',                        height: '320',                        theme: 'advanced',                        theme_advanced_buttons1: 'bold,italic,underline,removeformat,|,sub,sup,|,bullist,numlist,|,justifyleft,justifycenter,justifyright,justifyfull,|,undo,redo,|,outdent,indent,blockquote,formatselect,|,hr,link,unlink,jbimages,media',                        theme_advanced_buttons2: 'anchor,|,tablecontrols,|,visualaid,|,search,replace,|,print,|,fullscreen,cleanup,pastetext,code',

You'll probably already see "image" in there, I changed that to "jbimages" because I don't want to use the image embed but if you want both, just add in the jbimages plugin name just as the others are.

Clear your Dolphin & Browser caches and you should see the new button.

The default plugin has a link back to the author (in the upload dialog box) , but flip the dude a donation and you can remove the link, as I have.

Thanks to everyone who helps out around here!

I see nothing in your implementation that gives members their own unique storage folder, or any other way to keep images associated with their owner.  You can't just upload every members images into the same place without those provisions.

Never said it did, but is that any different then the lame photo organization dolphin offers now? You (the admin by means of the config.php) have the option to "encrypt" the filename so chances of someone guessing another's file name is near impossible.

Anyway, take it or leave it. It works for me and my members.

I take it is not meant to be a TinyMCE file manager.  The site did not have a demo so I don't know how this works.  If it is just for uploading images to insert, and not as a file manager where members go back and edit or remove images, and one can not browse the images already uploaded, then the fact that all images are dumped to the same directory is probably not an issue.

There might be a huge problem.  Since it's a file uploader, it should have some sort of user authentication so that no one could browse to the plugins dialog.htm and start uploading files.  It's a possible security risk.

it won't upload if it's not properly init'd, which can only be done in the messaging system of dolphin, which would require an account.

 right, it's not a file manager, just the ability to upload an image and put it in the message you are sending.

What happens to the images when the message is deleted?

Would I have to scan my messages database then remove that image if the message has been deleted?

They're left behind unfortunately. I have note in the upload dialog that attached images are automatically purged after 90 days so the recipients are encouraged to save them.

HL mentioned security and that is important.  Can it be set so that only image files; by extensions, .jpg, jpeg, gif, png, can be uploaded?  By the way, there is an exploit that needs to be taken care of in your web server config.  That exploit is where a php script masquerades as an image; myprettyimage.php.jpg.  Under the right conditions, if the exploit has not been blocked, the web server will execute the php script.

 Yes it can

        $config['allowed_types'] = 'gif|jpg|png';

Oh really? How do I correct that? Not to mention... how do you know my website? ;)

would including "php_admin_flag engine off" or "deny from all" in the .htaccess for the image folder suffice?

I don't know your website if that was asked of me.

I can tell you how to block the exploit in Nginx as that is the web server I am using.  Otherwise, I would suggest searching the internet.  If you are hosting with a company that provides managed servers, they probably can help you with it.  I came across this as I was setting up Nginx and did some reading on it.

Now, I actually saw in my server logs where someone was looking for this exploit on my server; of course the exploit they were looking for was in a CMS that is not on my server but it illustrates that the exploit is out there and there are those trying to use it.

Let's say a member uploads mycatfluffy.php.jpg and the file is uploaded to the image store on your system.  Now, if someone knows the location of the image store, they try to navigate to the file and get the browser to execute the code, http://yoursite.tld/image_store/mycatfluffy.php.jpg.  If the exploit is not closed on the server, then the webserver can actually execute the php script.

That works because most users of the internet don't know anything about files.  We see that php and it sends up a huge red flags.  Your users will just upload the image thinking they are going to see mycatfluffy.

oh ok. sounded like you were telling me my site was vulnerable. It's not btw, but in case anyone wants to  check for that see this:

http://core.trac.wordpress.org/ticket/11122

Anyway, this is getting off topic of my thread.

-over and out-

Does anyone have any further comments or suggestions or experience for this add on.