New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Celah bisa unggah script php melalui unggah logo desa #963

Closed
mugi789 opened this Issue Apr 27, 2018 · 3 comments

Comments

3 participants
@mugi789

mugi789 commented Apr 27, 2018

masih ada celah/bug pada upload logo desa
Perlu diperbaiki lagi

@eddieridwan eddieridwan changed the title from Celah Uploader to Security: Celah bisa unggah script php melalui unggah logo desa Apr 27, 2018

@eddieridwan eddieridwan added this to DIPRIORITASKAN in Rilis yang sedang dikerjakan Apr 27, 2018

@egodasa

This comment has been minimized.

Contributor

egodasa commented Apr 27, 2018

Maaf bisa diperjelas langkah-langkah hingga munculnya bug tersebut?

@eddieridwan

This comment has been minimized.

Collaborator

eddieridwan commented Apr 29, 2018

Coba namakan suatu file php menggunakan ekstensi .jpg, misalnya script.php.jpg.
Di menu SID Home > Identitas Desa, coba unggah file tersebut sebagai logo. Bisa diunggah tanpa error, padahal seharusnya tidak bisa.

Error ini disebabkan saat ini fitur unggah logo menggunakan mime type yg disediakan browser -- yang mudah ditipu.

Method yang bersangkutan: update() di Config_model.php, dan UploadLogo() di pict_helper.php.

Ubah supaya menggunakan library upload yang disediakan Codeigniter. Lihat contoh penggunaan library upload di Surat_masuk_model.php. Pelajari dan lihat apakah bisa dibuat menjadi method umum yang bisa diletakkan di pict_helper.php untuk digunakan di semua fungsi unggah berkas.

@eddieridwan eddieridwan moved this from DIPRIORITASKAN to SEDANG DIKERJAKAN in Rilis yang sedang dikerjakan May 5, 2018

@eddieridwan eddieridwan self-assigned this May 5, 2018

@eddieridwan

This comment has been minimized.

Collaborator

eddieridwan commented May 6, 2018

Sudah dicommit ke master.

@eddieridwan eddieridwan closed this May 6, 2018

@eddieridwan eddieridwan moved this from SEDANG DIKERJAKAN to SUDAH DI MASTER in Rilis yang sedang dikerjakan May 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment