Skip to content

/OpenSID

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [Security] Form Upload Dokumen #1990

Closed
mugi789 opened this issue Mar 26, 2019 · 1 comment
Labels
security
Projects
Rilis yang sedang dikerjakan

Comments

@mugi789
Copy link

@mugi789 mugi789 commented Mar 26, 2019
edited

Bagaimana alurnya sampai muncul masalah?

  1. Login http://belajar.opendesa.id/index.php/siteman
    1l
  2. Lalu ke halaman artikel http://belajar.opendesa.id/index.php/web
  3. Klik "Tambah Berita Baru" http://belajar.opendesa.id/index.php/web/form/1
    2l
  4. Pada form dokumen lampiran lalu pilih file .pdf yg akan diupload
  5. Kemudian lakukan tamper data
  6. Ubah extensinya yg awalnya .pdf ganti dengan .html
  7. Dan ini contoh file yg telah saya upload
    http://belajar.opendesa.id/desa/upload/dokumen/test.html
    3l

Seperti apa yang diharapkan?

Hanya dpt mengunggah file dokumen

Apa yang terjadi?

Dpt mengunggah file selain file dokumen

Informasi tambahan

Selain html, file lain pun bisa masuk, kecuali ext .php

Update

Extension .php5 lolos, bisa masuk
http://belajar.opendesa.id/desa/upload/dokumen/x.php5
gambar

Tanya Jawab
Versi OpenSID 19.03-pasca
Versi PHP
System operasi
@mugi789 mugi789 changed the title [BUG] [Security] Pada Form Upload Dokumen [BUG] [Security] Form Upload Dokumen Mar 26, 2019
@eddieridwan eddieridwan added this to SUDAH DI MASTER in Rilis yang sedang dikerjakan Mar 30, 2019
eddieridwan added a commit that referenced this issue Mar 30, 2019
@eddieridwan
#1990: Sekarang nama file dokumen lampiran yang diunggah di artikel h…
54beb89 
…arus berekstensi .pdf, .ppt, .pptx, .pps, .ppsx, .doc, .docx, .rtf, .xls atau .xlsx [security-fix]
@eddieridwan

This comment has been minimized.

Sign in to view
Copy link
Collaborator

@eddieridwan eddieridwan commented Mar 30, 2019

Sudah dicommit ke master.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
Rilis yang sedang dikerjakan
SUDAH DI MASTER
Milestone
No milestone
2 participants
@mugi789 @eddieridwan
You can’t perform that action at this time.