Closed passtheticket closed 6 months ago
@passtheticket Thank you for your report. I will fix this. Until a fixed version is released, elFinder administrators can work around this issue by using 'additionalMimeMap' in the roots configuration, as follows:
'roots' => array(
// Items volume
array(
'additionalMimeMap' => array(
'php8:*' => 'text/x-php',
'php9:*' => 'text/x-php'
),
'driver' => 'LocalFileSystem', // driver for accessing file system (REQUIRED)
'path' => '../files/', // path to files (REQUIRED)
'URL' => dirname($_SERVER['PHP_SELF']) . '/../files/', // URL to files (REQUIRED)
'trashHash' => 't1_Lw', // elFinder's hash of trash folder
'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain'), // Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
),
Describe the bug There is no restriction for uploading the file with the .php8 extension. I encountered this situation during penetration testing of a website that uses the elFinder. In some environments, .php8 can be executed as PHP. Especially, when the PHP is updated from a lower version to 8.x, the .php8 can be added to the .htaccess file for PHP handling like:
In another case, .php8 can be executed as PHP according to following the Apache configuration.
To Reproduce Steps to reproduce the behavior:
test<?php phpinfo();?>
test.php8
files
directoryExpected behavior I think that the
php8
can be added to thestaticMineMap
array in theelFinderVolumeDriver
class.Screenshots
![2](https://github.com/Studio-42/elFinder/assets/76125965/1ec5a61b-b297-48f4-87be-51f2c2a31fa7)