Security hole allowing remote filesystem access #25

Closed
dylanpyle opened this Issue Apr 23, 2012 · 1 comment

Comments

Projects
None yet
2 participants

Hi there,
I haven't had time to check out the rest of the source at all, but on preliminary scan, the file 'alpha3/server/generateArchive.php' has a rather glaring security error.
Simply put, this file is allowing any unvalidated, user-specified file name to be written to be written to with any unvalidated, user-specified data. Here's what happens if, for example, the following inputs are passed:
$_POST["data"] = "Just a test! Hope this doesn't work" $_POST["filename"] = "../../index"

result: http://www.hsivaram.com/impressionist/ (I didn't delete any data; there was no index page here before.)

One immediate fix would be to strip out dots and slashes from the file name to be written to. This should be done immediately, and retroactively -- fix this in all the previous versions you're hosting too!

I didn't want to submit a pull request since I have a feeling this may be an issue elsewhere. I would be verrry careful for the time being - your personal server is running code with some glaring security holes. My advice would be to take down your hosted copy immediately until you can resolve all of these with certainty.

Owner

harish-io commented Apr 24, 2012

Thanks a lot for logging this.I am not a server side expert, so this was expected. :) Working on resolving this now. Thanks again.

dylanpyle closed this Apr 26, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment