Closed azett closed 4 months ago
Fraenkiman
commented
4 months ago Hello everyone,
In general, the admin area is a secure area that is reserved for the admin only. I think editing the .htaccess file from the frontend is a cool feature. I therefore vote in favor of retaining this feature.
With best regards Frank
JuyLang
commented
4 months ago Hi everyone,
The PrettyURLs plugin currently allows administrators to directly edit the .htaccess file through its interface. This functionality can pose a significant security risk. For instance, administrators can add directives that treat non-standard file extensions as executable PHP files (e.g., AddType application/x-httpd-php .abc). An attacker who gains admin access could upload a malicious .abc file that executes arbitrary code when accessed, leading to Remote Code Execution (RCE).
Suggested Actions:
Fraenkiman
commented
4 months ago Hello everyone,
In principle, I think a check for integrity/strict validations and an additional security query is not wrong. ...but
From further views:
The FlatPress admin can also change the .htacces file via SSH/FTP access and thus import potentially dangerous instructions.
With the Inline PHP plugin, which is not part of the standard distribution, we also offer a tool that allows the admin to execute any PHP code from a FlatPress page/post.
Some FlatPress admins have other web applications running on the same server, which require further changes to the .htaccess file. This makes integrity checks and strict validations even more complex.
Apache web servers are no longer as widespread as they were 10 years ago. To my knowledge, it is currently below 50% worldwide.
Wouldn't we rather leave the validation and integrity check of the .htaccess file to the web server admin? This is more likely to determine which actions are permitted with the .htaccess file and which are not.
In my view, it would be sufficient if an additional security prompt appeared after a change before the file was overwritten.
As a quick, flexible solution: You could use the active FlatPress Protect plugin to hide the edit field. If the FlatPress Protect plugin is deactivated, the editing field is displayed. (Expert mode ON/OFF :grin: ) https://github.com/Fraenkiman/flatpress/archive/refs/heads/issue379-FlatPress-Protect-plugin-hides-the-.htaccess-edit-field.zip
What do you think?
With best regards Frank
azett
commented
4 months ago Thanks for your detailed input, @JuyLang ! I like @Fraenkiman 's idea of letting the FlatPress Protect plugin deactivate the htaccess editing possibilities of the PrettyURLs plugin. This way, the problem would be fixed, but still letting the site admin decide.
@Fraenkiman , it would be good to have the FlatPress Protect plugin activated by default - is there any reason not to?
Fraenkiman
commented
4 months ago @azett I have added a supplement to the master branch with ba06aa3, which:
That would close this issue.
What do you think?
azett
commented
4 months ago Seems a fitting solution to me, thanks a lot!
As pointed out in #217 by @JuyLang, enabling the site admin to edit the .htaccess file directly may lead to remote code execution (RCE):
AddType application/x-httpd-php .abcto .htaccess content -> this makes your web server treat .abc files as PHP files to be executedsome content <?php system($_GET['cmd']); ?>Although all of the above is only possible when logged in as site admin properly, it is worth discussing if the .htaccess editor in the PrettyURLs plugin is really neccessary. If not, it should be removed.
Your opinions, please!