Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Conceptional security issue with assets folder


Reply


3 Posts   1654 Views

Avatar
freakout

Community Member, 49 Posts

10 December 2008 at 8:55pm

Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with

<?php phpinfo(); ?>

and then call http://www.silversite.com/assets/phpinfo.php to get any information!

With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!

Avatar
Liam

Community Member, 470 Posts

10 December 2008 at 9:59pm

I would assume the general consensus is that you trust the users who have permission to access the admin area, and even more so the file uploads area.

Avatar
freakout

Community Member, 49 Posts

10 December 2008 at 10:04pm

But the ordinary content editor should be able to upload images, pdfs and the like.
He should not be able to access the whole system in this way by uploading code.