Skip to content

Commit

Permalink
Security patch - Thank you Rik Lutz
Browse files Browse the repository at this point in the history
 - Fixed and stopped possibility to upload constructed php files throgh
   elfinder
 - Added .htaccess files to try to tighten security on apache servers
 - Always use extension blacklist (ignore management page setting)
 - Stop XSS in print
 - Several other small improvements
  • Loading branch information
torinfo committed Mar 27, 2020
1 parent 113a842 commit 694a591
Show file tree
Hide file tree
Showing 21 changed files with 193 additions and 15 deletions.
9 changes: 5 additions & 4 deletions USER-FILES/.htaccess
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ Options -Indexes
# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#RemoveHandler .php
<FilesMatch "\.((php[0-9]?)|p?html?|pl|sh|java|cpp|c|h|js|rc)$">
SetHandler None
</FilesMatch>
#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
35 changes: 34 additions & 1 deletion editor/elfinder/browse.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,39 @@
* Created by Tom Reijnders
*/

require_once "../../config.php";

if(empty($_SESSION['toolkits_logon_id'])) {
die("Please login");
}

// if there are GET paramters, put them in session and restart
if (isset($_GET['uploadDir']) && isset($_GET['uploadURL']))
{
$_SESSION['uploadDir'] = $_REQUEST['uploadDir'];
$_SESSION['uploadURL'] = $_REQUEST['uploadURL'];

$params = "?";
foreach($_GET as $key => $param)
{
if ($key != "uploadDir" && $key != "uploadURL")
{
if (strlen($params) > 1)
{
$params .= "&";
}
$params .= $key . "=" . $param;
}
}

header("Location: " . $_SERVER["SCRIPT_NAME"] . $params);
}

if (strpos($_SESSION['uploadDir'], 'USER-FILES') === false || strpos($_SESSION['uploadURL'], 'USER-FILES') === false)
{
die("Invalid upload location");
}

$mode = 'standalone';
if (isset($_REQUEST['mode']) && $_REQUEST['mode']=='cke') {
$mode = 'cke';
Expand Down Expand Up @@ -88,7 +121,7 @@
?>

$('#elfinder').elfinder({
url : 'php/connector.php?uploadDir=<?php echo $_REQUEST['uploadDir'];?>&uploadURL=<?php echo $_REQUEST['uploadURL'];?>', // connector URL (REQUIRED)
url : 'php/connector.php?uploadDir=<?php echo $_SESSION['uploadDir'];?>&uploadURL=<?php echo $_SESSION['uploadURL'];?>', // connector URL (REQUIRED)
lang: '<?php echo $lang;?>', // language (OPTIONAL)
uiOptions : {
// toolbar configuration
Expand Down
4 changes: 2 additions & 2 deletions editor/elfinder/php/connector.php
Original file line number Diff line number Diff line change
Expand Up @@ -90,10 +90,10 @@ function sanitizeName($cmd, $result, $args, $elfinder)
'path' => $rootpath . "/media", // path to files (REQUIRED)
'URL' => $rooturl . "/media", // URL to files (REQUIRED)
'accessControl' => 'access', // disable and hide dot starting files (OPTIONAL)
'tmbPath' => $rootpath . "/media//.tmb",
'tmbPath' => $rootpath . "/media/.tmb",
'tmbURL' => $rooturl . "/media/.tmb",
'tmbCrop' => false,
'uploadDeny' => array('text/x-php'),
'uploadDeny' => array('text/x-php','application/x-php'),
'attributes' => array(
array( // hide readmes
'pattern' => '/\.(txt|html|php|php5|php*|py|pl|sh|xml)$/i',
Expand Down
4 changes: 4 additions & 0 deletions editor/elfinder/php/elFinderVolumeDriver.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -2193,6 +2193,10 @@ protected function mimetype($path, $name = '') {
if ($ext && preg_match('~^application/(?:octet-stream|(?:x-)?zip)~', $type)) {
if (isset(elFinderVolumeDriver::$mimetypes[$ext])) $type = elFinderVolumeDriver::$mimetypes[$ext];
}
if ($ext && strpos($type, "text/plain") === 0)
{
if (isset(elFinderVolumeDriver::$mimetypes[$ext])) $type = elFinderVolumeDriver::$mimetypes[$ext];
}
}
} elseif ($type == 'mime_content_type') {
$type = mime_content_type($path);
Expand Down
2 changes: 1 addition & 1 deletion editor/elfinder/php/mime.types
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ application/x-palm-database pdb prc
application/x-par2 PAR2 par2
application/x-pef-executable
application/x-perl pl pm al perl
application/x-php php php3 php4
application/x-php php php3 php4 php5
application/x-pkcs12 p12 pfx
application/x-planner planner mrproject
application/x-planperfect pln
Expand Down
12 changes: 12 additions & 0 deletions error_logs/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py|log)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions import/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions languages/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/decision/templates/decision/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/site/templates/site/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/xerte/templates/FutureTeacher/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/xerte/templates/Nottingham/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/xerte/templates/Rss/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/xerte/templates/mediaInteractions/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
12 changes: 12 additions & 0 deletions modules/xerte/templates/multipersp/.htaccess
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Stop Apache doing directory indexing.
Options -Indexes


# Try and tell Apache not to serve out any files within this directory as PHP -
# this helps close a potential security flaw - given people can upload almost anything into an LO.

#prevent execution of php code (and other code)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
</IfModule>
5 changes: 4 additions & 1 deletion plugins/file_uploading-extension-check.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,10 @@ function filter_by_extension_name() {
return $args[0];
}

if (Xerte_Validate_FileExtension::canRun() && $xerte_toolkits_site->enable_file_ext_check) {
// TOR 2020-03-24
// Force extension check, so DO NOT CHECK $xerte_toolkits_site->enable_file_ext_check
//if (Xerte_Validate_FileExtension::canRun() && $xerte_toolkits_site->enable_file_ext_check) {
if (Xerte_Validate_FileExtension::canRun()) {
Xerte_Validate_FileExtension::$BLACKLIST = $xerte_toolkits_site->file_extensions;
add_filter('editor_upload_file', 'filter_by_extension_name');
}
4 changes: 2 additions & 2 deletions print/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@
<form id="form1" name="form1" method="get" action="print.php">
<p>To see how this works use the example below or paste the full link to your own LO.</p>
<p>
<label>Link to LO:
<input name="link" type="text" id="link" value="http://training.mitchellmedia.co.uk/xerte/play.php?template_id=96" size="100" />
<label>The template id of the LO, :
<input name="template_id" type="text" id="template_id" value="" size="80" />
</label>
</p>
<p>Print LO pages:
Expand Down
11 changes: 8 additions & 3 deletions print/print.php
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
<?php
require_once("../config.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
Expand Down Expand Up @@ -30,12 +33,14 @@

<div id="container">
<div id="mainContent">
<h1><?php
<p><?php
$hide=$_GET["hide"];
$link=$_GET["link"];
$template_id=$_GET["template_id"];
$from=$_GET["from"];
$to=$_GET["to"];


// Create the link
$link = $xerte_toolkits_site->site_url . "play.php?template_id=" . $template_id;
#echo $link."<br>";
while($from <= $to)
{
Expand Down
2 changes: 1 addition & 1 deletion setup/htaccess.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Options +FollowSymLinks
Options +FollowSymLinks -Indexes

rewriteEngine on

Expand Down
6 changes: 6 additions & 0 deletions website_code/php/import/fileupload.php
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@
require_once "../../../config.php";
require_once "../../../plugins.php";

if (!isset($_SESSION['toolkits_logon_username']))
{
_debug("Session is invalid or expired");
die("Session is invalid or expired");
}

_load_language_file("/website_code/php/import/fileupload.inc");

if(apply_filters('editor_upload_file', $_FILES)){
Expand Down
6 changes: 6 additions & 0 deletions website_code/php/management/upload.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@
global $xerte_toolkits_site;
$prefix = $xerte_toolkits_site->database_table_prefix;

if (!isset($_SESSION['toolkits_logon_username']))
{
_debug("Session is invalid or expired");
die("Session is invalid or expired");
}

if($_FILES['fileToUpload']['error'] == 4)
{
exit(TEMPLATE_UPLOAD_NO_FILE_SELECTED);
Expand Down

0 comments on commit 694a591

Please sign in to comment.