17488 Posts in 4473 Topics by 1978 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 1456 Views |
-
Conceptional security issue with assets folder
10 December 2008 at 8:55pm
Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with
<?php phpinfo(); ?>
and then call http://www.silversite.com/assets/phpinfo.php to get any information!
With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!
-
Re: Conceptional security issue with assets folder
10 December 2008 at 9:59pm
I would assume the general consensus is that you trust the users who have permission to access the admin area, and even more so the file uploads area.
-
Re: Conceptional security issue with assets folder
10 December 2008 at 10:04pm
But the ordinary content editor should be able to upload images, pdfs and the like.
He should not be able to access the whole system in this way by uploading code.
| 1456 Views | ||
|
Page:
1
|
Go to Top |
