Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36079 clarification needed #1292

Closed
fgeek opened this issue Feb 28, 2021 · 2 comments
Closed

CVE-2020-36079 clarification needed #1292

fgeek opened this issue Feb 28, 2021 · 2 comments

Comments

@fgeek
Copy link

fgeek commented Feb 28, 2021

CVE-2020-36079 vulnerability description is:

Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory.

Am I correct that this is not a vulnerability and needs admin privileges (or special permissions for regular users) and that the software is intended to behave in this manner?

@sbillard
Copy link
Contributor

Specifically, the user must be logged in and have upload rights. So, don't give those rights to someone you do not trust.

@acrylian
Copy link
Member

We just learned about this as well. This actually had been reported to us last year. And we addressed this issue in 1.5.7
https://www.zenphoto.org/news/zenphoto-1.5.7/ and just addressed this on our news section: https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/

Actually you need full admin rights to upload executable files with the elFinder plugin now and not just upload rights.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants