KTML for Dreamweaver Forum :: KTML Professional, securityt risk or not?

 Please can someone else who is using or used KTML Professional tell me if it's a security risk of any kind?

A friend of mine has developed some websites and added the KTML Professional to them.
His host keeps renaming the one directory (ktedit) to this (ktedit.security.risk)

I am lost here and interested to know if anyone else has had this problem at all?
Why is it a security risk, when they use suPHP on the server and all the directories are set to "0755" ?

Cheers

Yes KTML "could" be a security risk if you allow any scripting to be included in the content.

You should not have this in a unprotected area where just anyone can use it.
Remember it is more than just a text editor.  It is an html editor and anyone can switch to code view and edit the html or even paste html into the editor.

The question should actually be addressed to the host.
Ask them why they see it as a security risk. If they are any good they will tell you why they are renaming the folder.

I don't know much about it, but thanks for your input here.

What exactly or how exactly can it be a risk if it only allows adding or editing of pages?

Cheers

Well if you allow <iframes> or java script you can easily include a call to thirdparty a file that might include a virus or something.

A couple of questions...
How secure is the pages where the editor is included?
Who can get access to the editor?
How secure is the server?

Bottom line is I have KTML installed on most of my sites in some form or another.
On my servers I run SUEXE, the latest apache, linux security patches.
People getting access to the KTML pages are known and verified members of the site/s.
All unnecessary buttons are removed and no scripts or Iframes are allowed to be used in the editor.

If your configuration is similar as mine ask the host why they see it as a risk. If they don't / can't give you a good reason move your hosting elsewhere or visit my site and order some hosting.
My hosting is not the cheapest around but it sure is one of the most reliable and flexible hosted at the one of the largest datacentres (The Planet, Dallas) in the world with dedicated admins on standby,

The only person who has access to it is him.

I have looked at it and it is very basic tables and html
I have seen that he has the ability to upload images and other files.

<table border="0" cellpadding="0" cellspacing="0" width="700">
<div align="left" class="normaltext">

The idea that he had was to upload and arrange the images in the text to make it look nice, otherwise I could suggest that he use "SPAW Editor", it seems better than KTML in presentation. http://www.spaweditor.com/

It may be that there is some security risk on their servers that is the problem or the admins are not educated enough, not sure, will see what they say.

Cheers

Actually it's similar to this textarea that I reply to you in, nothing special.

It is very strange that they would just rename a folder.
I would be very upset if anyone just rename something on one of my sites without telling me why.

If you hear anything from the admins please post it here.  Maybe they know something that the rest of the world doesn't.

Good luck!!

My friend just got a mail from his hosts,

The folder that they keep renaming is "ktedit" to "ktedit.security.risk"
They say: 

Please be advised that due to incorrectly set file permissions on files and folders in the ktedit directory a third party was able to upload and execute scripts on the server, greatly compromising the security of both the website and the server.

We found numerous malicious files in the ktedit directory, including an IRC bot, an proxy server and a remotely executable PHP script. As this is unacceptable we deemed it necessary to move the directory to a different name to ensure the security of the server.

Please ensure that all your files and folders have the correct permissions set in future.

I don't think I understand how this is possible and asked him/them for the logs to try and figure out the truth, they kindly deleted the logs after renaming the directory.

Interesting yet not very helpful.

Thanks for your help here, I do appreciate it.

Cheers

My hosting company just informed me that there was a security breach which caused the server to crash and it was because of the ktmlpro folder.

Has anyone else experienced this and if so, do you know how it can be made secure?

thanks - any help appreciated

People you need to understand that any application is as good as the programmer / integrator.

KTML settings allow you to specify;

• what files can be uploaded
• the size of those files
• where they can be uploaded
  

Reading the KTML manual you can fine-tune the "allowed and disallowed" <tags> that can be used inside the editor.

Read up about server security and CHMOD settings for files and folders

Specify the upload folders to point to a different location on the server and set the permissions as low as possible.
Set the KTML folder permissions to as low as possible.
Protect the page with user logins and access levels and make sure the passwords are secure.

On my own server I only allow a maximum CHMOD settings of 644 for files and 755 for all folders. Anything else will generate a 500 server error. (Running Suexec on the server)
My server is located in the largest data centre in the world and I had them do a audit on my server about two weeks ago after it crashed a couple of time due to high server load.
Turned out a couple of client had their sites compromised with outdated 3rd party scripts.

Not a single issue with KTML and I am using it in just about every website I am developing.
I even have it in an unprotected site that is working as a demo for a CMS that I developed using KTML.

Seems I have had the security problem as well, in my case ktmlliterf in an MXshop. use some xss hole to upload/change my index page. I have renamed the ktmllite folder till I can work out how they did it but this seems to be a generic  risk with ktml!!

Jeffb1