New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File Inclusion with Possible RCE #574
Comments
|
There are quite some security checks before including anything. Uploading a JPEG in the "upload" directory won't be able to get his file included. You can't have ".." as part of the $sections, for example. |
|
Hey @plegall, If you are implying: As a security fix, it isn't sufficent because it only sanitizes $plugin_id = $sections[0]; How about other $secution[i] other than [0]? they aren't sanitized, we just have to send in another array. all the security checks apply to the $plugin_id which is just the first occurance of $sections. Thanks, |
No part of the $sections can be ".." |
|
@plegall not good enough. because that checks if $sections[i] is exactly "..", which is sad cause attackers can send in /..// or /..%2F and the $sections[$i]=='..' will return false. I suggest you doing a preg_replace() on it rather that one. tis easy to jump. |
|
Use CVE-2016-10105 for this. |
In Piwigo/admin/plugin.php
As you can see, a user-controlled variable is being sent stright to include_once(). a person who managed to upload a .jpg file or any other content with PHP paylaod will just need to refer to that location and include_once() will execute it, making a code execution possible.
The text was updated successfully, but these errors were encountered: