harish-io
commented
12 years ago Thanks a lot for logging this.I am not a server side expert, so this was expected. :) Working on resolving this now. Thanks again.
Closed dylanpyle closed 12 years ago
harish-io
commented
12 years ago Thanks a lot for logging this.I am not a server side expert, so this was expected. :) Working on resolving this now. Thanks again.
Hi there, I haven't had time to check out the rest of the source at all, but on preliminary scan, the file 'alpha3/server/generateArchive.php' has a rather glaring security error. Simply put, this file is allowing any unvalidated, user-specified file name to be written to be written to with any unvalidated, user-specified data. Here's what happens if, for example, the following inputs are passed:
$_POST["data"] = "Just a test! Hope this doesn't work" $_POST["filename"] = "../../index"result: http://www.hsivaram.com/impressionist/ (I didn't delete any data; there was no index page here before.)
One immediate fix would be to strip out dots and slashes from the file name to be written to. This should be done immediately, and retroactively -- fix this in all the previous versions you're hosting too!
I didn't want to submit a pull request since I have a feeling this may be an issue elsewhere. I would be verrry careful for the time being - your personal server is running code with some glaring security holes. My advice would be to take down your hosted copy immediately until you can resolve all of these with certainty.