Security Issue - Corruption Potential (Trac #1514)

[sleemanj]

The compressors in the contrib folder, files compress.php and compress_yui.php, can be commonly found in installations of Xinha online and are potentially (probably) executable from the web simply by hitting the URL to the file.

In cases where the files are executed and java does not exist, the likely result is corruption of all the files on which compression is attempted, in the form...

/* This compressed file is part of Xinha. For uncompressed sources, forum, and bug reports, go to xinha.org */
sh: java: command not found

other issues may cause similar corrupting results.

Many servers these days use suPHP or other methods to execute PHP scripts through the web server as the user owning the script, and thus the user likely has write access to all the Xinha files.

Many shared servers won't have java installed.

The potential for corruption is large, so all users should ensure that they take the following steps to prevent this..

1. You could delete the contrib/compress.php and compress_yui.php files
2. You could remove read permissions from the files to anybody
3. You could install something like the following .htaccess file in the contrib folder

<IfModule mod_php.c>
 php_flag engine off
</IfModule>
AddType text/html .html .htm .shtml .php .php3 .php4 .php5 .php6 .php7 .php8 .phtml .phtm .pl .py .cgi
RemoveHandler .php
RemoveHandler .php8
RemoveHandler .php7
RemoveHandler .php6
RemoveHandler .php5
RemoveHandler .php4
RemoveHandler .php3

The following changeset will add such an .htaccess and also some protection that if java does fail in this manner, the corruption won't occur anyway.

Reported by @sleemanj, migrated from http://trac.xinha.org/ticket/1514

[sleemanj]

• @sleemanj commented:

Dup #1515

• @sleemanj changed resolution to duplicate
• @sleemanj changed status from new to closed