New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.htaccess files allowed in themes #3257
Comments
|
I don't think this is an actual issue because if you have access to the backend, then you can already install whatever plugin you want which would grant you full access to the backend. What would an ideal behaviour for October to do when encountering what you are talking about be? |
|
Well, at first, thanks for your response, sir. But if the user config a weak password or use the default password, then the hacker can easily login into the backend, and upload the evil files. And I've checked the other functions, it seems they don't allow normal user to upload evil php file strictly , isn't it? For example, we can make a white list for these files , not allowed php files and etc. I think maybe this will be good, how do you think about it, sir? |
|
I don't think that's a threat model that we need to be considering. If an attacker is able to login to the system under an account that has access to manage/upload themes then no amount of whitelisting zip extraction is going to save you. For example, an attacker in that situation could easily just upload a theme with the following file: Then all they need to do is visit example.com/hacked in their browser and boom. Same thing as a PHP file, but without actually using a PHP file. |
|
Uhhh, actually I know the part you say , sir. As regards the solution,I think at this part: Exactly, I admit a not so important vulnerability like strored-type xss here should be ignored. But if the hacker can control system by the function, it could be a very bad thing at last, |
|
I think you're missing my point, if someone has access to upload theme files, then it doesn't matter what we do, it's already game over at that point. Any theme page, partial, or layout file can contain PHP code that has full access to the system, irregardless of whether the extension is .php or not. Are you saying that this issue is not present in Build 419 or earlier? |
|
Ok, maybe we just have different opinions at this point. |
|
I appreciate your willingness and time spent testing October for these things. I'll ask @daftspunk about this, but I don't think I would consider this an issue. By all means, please keep testing October for security vulnerabilities, but please consider reporting them directly to either @daftspunk or myself first. My email is in my profile. |
|
@LukeTowers is correct in his assertions. Having the ability to upload a theme grants the ability to execute PHP on the server, just like the "Code" tab on any CMS template. If necessary, this is easily restricted by using a permission structure, or by simply having a read-only file system (which is pretty common for high security sites). Some very custom themes use PHP files in them so blocking this file type is not a good idea either, even though as we've established it wouldn't change anything. |
Expected behavior
Well, dear sir, I just found an arbitrary upload vulnerability in Octobercms of the latest version.
ADLab of Venustech
Reproduce steps
When you login into the backend, you can visit:
http://localhost/backend/cms/themesYou can get the demo zip by export from demo theme, and now you have a zip file of demo.
Then you can add two file into the zip file,one evil php file and one .htaccess file.
.htaccess
evil.php
Now, I should upload the modified zip file , and import to cover the original demo theme folder.
When I upload successful, I'll get an evil file here .
Because of the new .htaccess file, I can visit the evil.php file directly now, I can see the php infomation of the server.
http://localhost/themes/demo/assets/evil.phpOctober build
The latest version.
Wish your response ,sir!
The text was updated successfully, but these errors were encountered: