Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticated local file inclusion possible #994

Closed
Fasse opened this issue Jan 23, 2021 · 0 comments
Closed

Authenticated local file inclusion possible #994

Fasse opened this issue Jan 23, 2021 · 0 comments

Comments

@Fasse
Copy link
Member

Fasse commented Jan 23, 2021

-Authenticated Local File Inclusion. Need admin or upload permissions.
Someone with upload permissions can use the move to db ability to "get" local files and move to the Documents & Folders view. The mitigation to block "/" from file names works, but if you double encode it, it bypasses the check...

@Fasse Fasse added this to the v4.0.4 milestone Jan 23, 2021
@Fasse Fasse self-assigned this Jan 23, 2021
@Fasse Fasse closed this as completed Jan 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant