V1.5.3: Unrestricted File Upload Vulnerability

[b1ackc4t]

See PDF for details: typemill-1.5.3-backstage.UploadVul.pdf

[trendschau]

thank you for reporting, the upload-feature is for registered users only.

I will fix that asap and upload a hotfix version.

[trendschau]

just published the hotfix 1.5.3.1. I added a separate extension check and repeated the mimetype check when the file is uploaded to the temporary folder. If mimetype fails there, then the file is deleted immediately. Also updated the htaccess.

Vulnerability reported in #268 is still fixed.

The reason behind this security whole: Some environments did not support the mimetype extraction of a base64 string, so as a quick fix I made it conditiionally and this opened up for this vulnerability. Now solved properly be checking the mimetype of the stored file which works in all environments.

Thank you for reporting again!

[MeteoLukas]

Hi @trendschau I'm new to Typemill, successfully installed Version 1.5.3.1 yesterday but found an issue with file upload. Folders and files have the appropriate permission and I can upload a picture with a FTP client to /media/... but not using the "image upload" button in the editor view. The image does not upload fully, meaning that the "loading" GIF below the uploaded image does not stop rotating waiting a few minutes. Similarly, for file upload, the file does not upload. Since this might be related to this fix, I thought about leaving a comment here. Thanks for checking, I hope that it's not related to my infrastructure...

[trendschau]

I cannot reproduce that error. Can you please open your developer tools in the browser, upload an image or file again and check the errors in the dev-tools? You should see something in the tabs "console" and/or "network".

[MeteoLukas]

Thanks for your quick response, here the error: Update: I installed Typemill on a different host and it works there. Might be a different configuration? they are both running PHP 8.0

[trendschau]

Can you click on "network" and then inspect the call to api/v1/image? Just click on the call and then open the tab "response" and please post the content of the response, there should be a detailed error message. Before you do that, please go to the settings in the admin area, scroll down to developer settings and activate the checkbox for report errors so that all error details are visible.

[MeteoLukas]

Thanks @trendschau for the hint. I found the error: I got "Access denied by security policy" coming from the WAF (mod security). Allowing the image upload process, I'm now able to upload images. In case this helps others: I'm using Hoststar and in the settings -> Hosting -> ModSecurity you can allow processes that recently failed...