Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue: Unrestricted File Upload #625

Closed
imnarendrabhati opened this issue May 5, 2015 · 6 comments

Comments

Projects
None yet
3 participants
@imnarendrabhati
Copy link

commented May 5, 2015

Hello There Wolf CMS ! Greeting From Bhati

While looking at your cms version 0.8.2 i found that, an authenticated user can upload a malicious arbitrary file to server which allow him to take over the web server access like command execution where an user can act as server admin.

Looking forward for your response so i can share the details with you ! it will better if we discuss in email so the information will not disclose here !

@mvdkleijn

This comment has been minimized.

Copy link
Member

commented May 5, 2015

this is almost starting to feel like spam... a set(!) of indian guys reporting the exact same "vulnerability" in almost the same sentence structure. No offense intended by the way.

You can send you info to wolfcms at gmail dot com

@imnarendrabhati

This comment has been minimized.

Copy link
Author

commented May 5, 2015

Shocked to see your response ,

  1. My replied on comment about "Indian Researcher Spamming On You"
    First you have to take your words back that indians are spamming on you, Facebook has announced that India Tops Facebook's Bug Bounty Program Again With Most Recipients.
    http://gadgets.ndtv.com/social-networking/news/india-tops-facebooks-bug-bounty-program-again-with-most-recipients-664843
  2. Report Structure Is Same

Report structure will always be the same due to vulnerability details , If a person will report you from India , USA , London then still the structure will be the same , So think before the reply

  1. You can send you info to wolfcms at gmail dot com
    No no no , I am very sorry that i notify you about your cms vulnerability ,

@imnarendrabhati imnarendrabhati changed the title Security Issue: Unrestricted File Upload Sorry Bro That I Reported You About Vulnerabilities :p May 5, 2015

@mvdkleijn

This comment has been minimized.

Copy link
Member

commented May 5, 2015

I apologize for the misunderstanding. I had no intention to offend anyone. In my defense, in less than 3 days I got 5 different guys sending me almost letter for letter the same email/message about the same vulnerability when I normally get maybe one vulerability report in a year.

That made me wonder if it wasn't spam. Apparently it wasn't, for which I apologize.

@mvdkleijn

This comment has been minimized.

Copy link
Member

commented May 5, 2015

to clarify: I didn't mean similar report structure, which is fine.

I meant an almost letter for letter copy of the earlier messages I got.

@mvdkleijn mvdkleijn changed the title Sorry Bro That I Reported You About Vulnerabilities :p Security Issue: Unrestricted File Upload May 5, 2015

mvdkleijn added a commit that referenced this issue Aug 10, 2015

mvdkleijn added a commit that referenced this issue Aug 10, 2015

@mvdkleijn

This comment has been minimized.

Copy link
Member

commented Aug 10, 2015

Fixed in 0.8.3

@mvdkleijn mvdkleijn closed this Aug 10, 2015

@oerdnj

This comment has been minimized.

Copy link

commented Sep 1, 2015

The issue is definitely not fixed. The fix that made it to 0.8.3 is unsufficient as there might be other extensions that could get executed either via PHP (f.e. default Debian config executes .phtml and .php5) or via some other interpreter.

You have to separate a code directories with user content directories and make sure that no user uploaded file can ever be executed.

+        $ext = strtolower(pathinfo($data['new_name'], PATHINFO_EXTENSION));
+        if (in_array($ext, ['php', 'php3', 'php4', 'inc')) {
+            Flash::set('error', __('Not allowed to upload files with extension :ext', $ext));
+            redirect(get_url('plugin/file_manager/browse/'));
+        }

This code is simply wrong as it protect against very specific class of attacks (and extensions) and still leaves the doors to attackers open via other means.

You should also make sure that you won't ever include a user uploaded page, f.e. via WOLFPAGE=<user_upload_file> (I am sorry, but I don't have a time for a complete audit and I don't care enough).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.