Media manager vulnerability

octobercms / october

Self-hosted CMS platform based on the Laravel PHP Framework.

https://octobercms.com/

Other

11.03k stars 2.21k forks source link

Media manager vulnerability #2304

Closed alarstyle closed 8 years ago

alarstyle commented 8 years ago

In the media manager there is a restriction to upload php files. But user can rename any uploaded file to *.php.

Tested on 351 build.

PS: And also will be good to have a possibility to enter restricted or allowed file types in the settings section of backend.

daftspunk commented 8 years ago

Thanks for the report @alarstyle, this has been fixed.

To override the blocked file types, define this entry in your config cms.fileDefinitions.blockedExtensions. Eg in config/cms.php:

'fileDefinitions' => [
    'blockedExtensions' => ['asp', 'avfp', 'aspx', 'cshtml', 'cfm', 'go', 'gsp', 'hs', 'jsp', 'ssjs', 'js', 'lasso', 'lp', 'op', 'lua', 'p', 'cgi', 'ipl', 'pl', 'php', 'php3', 'php4', 'phtml', 'py', 'rhtml', 'rb', 'rbw', 'smx', 'tcl', 'dna', 'tpl', 'r', 'w', 'wig']
]

Note: Extensions listed above are the defaults.

daftspunk commented 8 years ago

This issue has been marked as Critical priority because we take all security issues seriously. However, to clarify: we consider this as a minor vulnerability, since it requires:

Administrator access to the backend area
Poorly configured web server (only index.php should be executable)

Great catch though! Fix deployed in Build 359+ (available right now)