Recent Topics

File manager allows renaming files to protected extensions.

started by on Jan 08, 2008 – Last touched: Jan 08, 2008

Jan 08, 2008 12:56    

File manager allows renaming files to protected extensions.

I've just uploaded info.txt in DEMO, renamed it into info.php and now I can reach it from /media/users/admin/info.php

Fortunately, your server is protected and browser trying to download the file, but I can easily run any .php file uploaded and renamed on my server.

So, everybody who can login in MY demo, will be able to run their scripts :(

Jan 08, 2008 13:12

Thanks, reported to dev list

¥

Jan 08, 2008 13:41

Ok. But what should we put in /media/.htaccess to download requested .php files?

AddType application/??? .php :?:

Jan 08, 2008 13:52

This appears to work :

Code

AddHandler application/octet-stream .php

¥

Jan 08, 2008 14:03

Thanks !

And one more question :)
How to navigate this rule to specific folder, in our case /media ?

Jan 08, 2008 14:10

You should just need to upload it to your media folder, the rest of your blog won't be affected

¥

Jan 08, 2008 14:25

It works.
And now .php file prints on the screen.

But when I put this string in root .htaccess, browser tried to download the file

Anyway, thank you. This is better than nothing. :)

Jan 08, 2008 18:44

This was the reply on the dev list

Default Group permissions for Administrators:
Files: Edit ALL including protected.

Have you tried changing the extension as a non-admin user?

¥

Jan 08, 2008 19:02

User can only change the ext when he granted appropriate permissions (modify protected files).
Shortly, when you can rename - you can change ext.

Jan 08, 2008 19:54

That lost me a tad :

1) can a user change extensions , to non-protected extensions, without the permissions to modify protected files ?
2) can a user change the extension, to a protected extension, without the permissions to modify protected files ?
3) Will the world one day run out of beer and make me very unhappy?

Please note : I could probably answer all these by playing in admin but I haven't had a chance to try yet :p

¥

Jan 08, 2008 20:24

That's good enough for me for now then ;)

¥

Jan 22, 2008 05:58

You can still do it in 2.4 version :(

Feb 03, 2008 00:04

sam2kb, this is NOT A BUG!

The ADMINS are GRANTED the PERMISSION to edit PHP files, especially (but not only) within skins!

Feb 03, 2008 00:12

Maybe it's better to block this option in demo mode, or just put .htaccess file in media by default?


Form is loading...

powered by b2evolution free blog software – This forum is powered by b2evolution CMS, a complete engine for your website.