Open yasmagic opened 1 year ago
The provided upload.php
is a very basic example and is not intended to be used on production as it is.
I added file extensions checking to deny certain extensions such as php
and the code can be easily changed from deny to allow list to be more restrictive.
https://github.com/givanz/VvvebJs/commit/a0825e50aef5573a174e6496f6262fd5912ab0e5
Thank you. Image file restriction wasn't working in your demo server. :) So, the chances of web shell attack is very high.
The VvvebJs demo does not allow upload at all, only the cms demo allows upload but it restricts php upload, this is temporary until permissions feature is implemented and the demo is reinstalled periodically.
If you found this issue in another place let me know and I will fix it.
Thanks.
Anyone can upload a PHP or shell script using the image tool. It does not do any validation to restrict only image file types. As a result, anyone can easily do a web shell attack and get access to the server and database.