Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] [Security] Form Upload Dokumen #1990

Closed
mugi789 opened this issue Mar 26, 2019 · 1 comment

Comments

@mugi789
Copy link

@mugi789 mugi789 commented Mar 26, 2019

Bagaimana alurnya sampai muncul masalah?

  1. Login http://belajar.opendesa.id/index.php/siteman
    1l
  2. Lalu ke halaman artikel http://belajar.opendesa.id/index.php/web
  3. Klik "Tambah Berita Baru" http://belajar.opendesa.id/index.php/web/form/1
    2l
  4. Pada form dokumen lampiran lalu pilih file .pdf yg akan diupload
  5. Kemudian lakukan tamper data
  6. Ubah extensinya yg awalnya .pdf ganti dengan .html
  7. Dan ini contoh file yg telah saya upload
    http://belajar.opendesa.id/desa/upload/dokumen/test.html
    3l

Seperti apa yang diharapkan?

Hanya dpt mengunggah file dokumen

Apa yang terjadi?

Dpt mengunggah file selain file dokumen

Informasi tambahan

Selain html, file lain pun bisa masuk, kecuali ext .php

Update

Extension .php5 lolos, bisa masuk
http://belajar.opendesa.id/desa/upload/dokumen/x.php5
gambar

Tanya Jawab
Versi OpenSID 19.03-pasca
Versi PHP
System operasi
@mugi789 mugi789 changed the title [BUG] [Security] Pada Form Upload Dokumen [BUG] [Security] Form Upload Dokumen Mar 26, 2019
@eddieridwan eddieridwan added this to SUDAH DI MASTER in Rilis yang sedang dikerjakan Mar 30, 2019
eddieridwan added a commit that referenced this issue Mar 30, 2019
…arus berekstensi .pdf, .ppt, .pptx, .pps, .ppsx, .doc, .docx, .rtf, .xls atau .xlsx [security-fix]
@eddieridwan

This comment has been minimized.

Copy link
Collaborator

@eddieridwan eddieridwan commented Mar 30, 2019

Sudah dicommit ke master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.