Skip to content

Commit 694a591

Browse files
committed
Security patch - Thank you Rik Lutz
- Fixed and stopped possibility to upload constructed php files throgh elfinder - Added .htaccess files to try to tighten security on apache servers - Always use extension blacklist (ignore management page setting) - Stop XSS in print - Several other small improvements
1 parent 113a842 commit 694a591

File tree

21 files changed

+193
-15
lines changed

21 files changed

+193
-15
lines changed

Diff for: USER-FILES/.htaccess

+5-4
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@ Options -Indexes
55
# Try and tell Apache not to serve out any files within this directory as PHP -
66
# this helps close a potential security flaw - given people can upload almost anything into an LO.
77

8-
#RemoveHandler .php
9-
<FilesMatch "\.((php[0-9]?)|p?html?|pl|sh|java|cpp|c|h|js|rc)$">
10-
SetHandler None
11-
</FilesMatch>
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: editor/elfinder/browse.php

+34-1
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,39 @@
2222
* Created by Tom Reijnders
2323
*/
2424

25+
require_once "../../config.php";
26+
27+
if(empty($_SESSION['toolkits_logon_id'])) {
28+
die("Please login");
29+
}
30+
31+
// if there are GET paramters, put them in session and restart
32+
if (isset($_GET['uploadDir']) && isset($_GET['uploadURL']))
33+
{
34+
$_SESSION['uploadDir'] = $_REQUEST['uploadDir'];
35+
$_SESSION['uploadURL'] = $_REQUEST['uploadURL'];
36+
37+
$params = "?";
38+
foreach($_GET as $key => $param)
39+
{
40+
if ($key != "uploadDir" && $key != "uploadURL")
41+
{
42+
if (strlen($params) > 1)
43+
{
44+
$params .= "&";
45+
}
46+
$params .= $key . "=" . $param;
47+
}
48+
}
49+
50+
header("Location: " . $_SERVER["SCRIPT_NAME"] . $params);
51+
}
52+
53+
if (strpos($_SESSION['uploadDir'], 'USER-FILES') === false || strpos($_SESSION['uploadURL'], 'USER-FILES') === false)
54+
{
55+
die("Invalid upload location");
56+
}
57+
2558
$mode = 'standalone';
2659
if (isset($_REQUEST['mode']) && $_REQUEST['mode']=='cke') {
2760
$mode = 'cke';
@@ -88,7 +121,7 @@
88121
?>
89122

90123
$('#elfinder').elfinder({
91-
url : 'php/connector.php?uploadDir=<?php echo $_REQUEST['uploadDir'];?>&uploadURL=<?php echo $_REQUEST['uploadURL'];?>', // connector URL (REQUIRED)
124+
url : 'php/connector.php?uploadDir=<?php echo $_SESSION['uploadDir'];?>&uploadURL=<?php echo $_SESSION['uploadURL'];?>', // connector URL (REQUIRED)
92125
lang: '<?php echo $lang;?>', // language (OPTIONAL)
93126
uiOptions : {
94127
// toolbar configuration

Diff for: editor/elfinder/php/connector.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -90,10 +90,10 @@ function sanitizeName($cmd, $result, $args, $elfinder)
9090
'path' => $rootpath . "/media", // path to files (REQUIRED)
9191
'URL' => $rooturl . "/media", // URL to files (REQUIRED)
9292
'accessControl' => 'access', // disable and hide dot starting files (OPTIONAL)
93-
'tmbPath' => $rootpath . "/media//.tmb",
93+
'tmbPath' => $rootpath . "/media/.tmb",
9494
'tmbURL' => $rooturl . "/media/.tmb",
9595
'tmbCrop' => false,
96-
'uploadDeny' => array('text/x-php'),
96+
'uploadDeny' => array('text/x-php','application/x-php'),
9797
'attributes' => array(
9898
array( // hide readmes
9999
'pattern' => '/\.(txt|html|php|php5|php*|py|pl|sh|xml)$/i',

Diff for: editor/elfinder/php/elFinderVolumeDriver.class.php

+4
Original file line numberDiff line numberDiff line change
@@ -2193,6 +2193,10 @@ protected function mimetype($path, $name = '') {
21932193
if ($ext && preg_match('~^application/(?:octet-stream|(?:x-)?zip)~', $type)) {
21942194
if (isset(elFinderVolumeDriver::$mimetypes[$ext])) $type = elFinderVolumeDriver::$mimetypes[$ext];
21952195
}
2196+
if ($ext && strpos($type, "text/plain") === 0)
2197+
{
2198+
if (isset(elFinderVolumeDriver::$mimetypes[$ext])) $type = elFinderVolumeDriver::$mimetypes[$ext];
2199+
}
21962200
}
21972201
} elseif ($type == 'mime_content_type') {
21982202
$type = mime_content_type($path);

Diff for: editor/elfinder/php/mime.types

+1-1
Original file line numberDiff line numberDiff line change
@@ -227,7 +227,7 @@ application/x-palm-database pdb prc
227227
application/x-par2 PAR2 par2
228228
application/x-pef-executable
229229
application/x-perl pl pm al perl
230-
application/x-php php php3 php4
230+
application/x-php php php3 php4 php5
231231
application/x-pkcs12 p12 pfx
232232
application/x-planner planner mrproject
233233
application/x-planperfect pln

Diff for: error_logs/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py|log)$ - [F]
12+
</IfModule>

Diff for: import/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: languages/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/decision/templates/decision/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/site/templates/site/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/xerte/templates/FutureTeacher/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/xerte/templates/Nottingham/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/xerte/templates/Rss/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/xerte/templates/mediaInteractions/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: modules/xerte/templates/multipersp/.htaccess

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# Stop Apache doing directory indexing.
2+
Options -Indexes
3+
4+
5+
# Try and tell Apache not to serve out any files within this directory as PHP -
6+
# this helps close a potential security flaw - given people can upload almost anything into an LO.
7+
8+
#prevent execution of php code (and other code)
9+
<IfModule mod_rewrite.c>
10+
RewriteEngine On
11+
RewriteRule .*\.(php|php[0-9]|phtml|pl|sh|java|py)$ - [F]
12+
</IfModule>

Diff for: plugins/file_uploading-extension-check.php

+4-1
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,10 @@ function filter_by_extension_name() {
8484
return $args[0];
8585
}
8686

87-
if (Xerte_Validate_FileExtension::canRun() && $xerte_toolkits_site->enable_file_ext_check) {
87+
// TOR 2020-03-24
88+
// Force extension check, so DO NOT CHECK $xerte_toolkits_site->enable_file_ext_check
89+
//if (Xerte_Validate_FileExtension::canRun() && $xerte_toolkits_site->enable_file_ext_check) {
90+
if (Xerte_Validate_FileExtension::canRun()) {
8891
Xerte_Validate_FileExtension::$BLACKLIST = $xerte_toolkits_site->file_extensions;
8992
add_filter('editor_upload_file', 'filter_by_extension_name');
9093
}

Diff for: print/index.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,8 @@
3535
<form id="form1" name="form1" method="get" action="print.php">
3636
<p>To see how this works use the example below or paste the full link to your own LO.</p>
3737
<p>
38-
<label>Link to LO:
39-
<input name="link" type="text" id="link" value="http://training.mitchellmedia.co.uk/xerte/play.php?template_id=96" size="100" />
38+
<label>The template id of the LO, :
39+
<input name="template_id" type="text" id="template_id" value="" size="80" />
4040
</label>
4141
</p>
4242
<p>Print LO pages:

Diff for: print/print.php

+8-3
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
<?php
2+
require_once("../config.php");
3+
?>
14
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
25
<html xmlns="http://www.w3.org/1999/xhtml">
36
<head>
@@ -30,12 +33,14 @@
3033

3134
<div id="container">
3235
<div id="mainContent">
33-
<h1><?php
36+
<p><?php
3437
$hide=$_GET["hide"];
35-
$link=$_GET["link"];
38+
$template_id=$_GET["template_id"];
3639
$from=$_GET["from"];
3740
$to=$_GET["to"];
38-
41+
42+
// Create the link
43+
$link = $xerte_toolkits_site->site_url . "play.php?template_id=" . $template_id;
3944
#echo $link."<br>";
4045
while($from <= $to)
4146
{

Diff for: setup/htaccess.conf

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
Options +FollowSymLinks
1+
Options +FollowSymLinks -Indexes
22

33
rewriteEngine on
44

Diff for: website_code/php/import/fileupload.php

+6
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@
2020
require_once "../../../config.php";
2121
require_once "../../../plugins.php";
2222

23+
if (!isset($_SESSION['toolkits_logon_username']))
24+
{
25+
_debug("Session is invalid or expired");
26+
die("Session is invalid or expired");
27+
}
28+
2329
_load_language_file("/website_code/php/import/fileupload.inc");
2430

2531
if(apply_filters('editor_upload_file', $_FILES)){

Diff for: website_code/php/management/upload.php

+6
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,12 @@
1717
global $xerte_toolkits_site;
1818
$prefix = $xerte_toolkits_site->database_table_prefix;
1919

20+
if (!isset($_SESSION['toolkits_logon_username']))
21+
{
22+
_debug("Session is invalid or expired");
23+
die("Session is invalid or expired");
24+
}
25+
2026
if($_FILES['fileToUpload']['error'] == 4)
2127
{
2228
exit(TEMPLATE_UPLOAD_NO_FILE_SELECTED);

0 commit comments

Comments
 (0)