Security issue? - Githubissues

srs81 / CakePHP-AjaxMultiUpload

CakePHP 2 plugin to allow for easy multi-file upload with AJAX

Other

65 stars 33 forks source link

Security issue? #38

Closed Eric-11 closed 9 years ago

Eric-11 commented 11 years ago

It seems this plugin violates two basic rules:

Uploads are inside the webroot
File names are not renamed to prevent remote access

This allows someone to upload a pwn.php file then run it via /files/pwn.php

While I haven't checked further there could be other issues based on comments I've seen:

If overwrites are not checked, then multiple users could destroy each other's data by uploading different readme.txt files at the same time.

srs81 commented 9 years ago

Thanks for bringing this up. I think this could be three separate issues, but let me address them.

The PHP upload issue should be taken care of, due to a friend's commit - PHP files can no longer be uploaded for security reasons.

As for uploads being in webroot and file renaming - agreed these are publicly accessible if someone knows the full path to the file. In order to fix this, we would need to upload to somewhere non-public, and then write a PHP script to load the file and return it.