Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.


Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Conceptional security issue with assets folder


3 Posts   1585 Views


10 December 2008 at 8:55pm Community Member, 49 Posts

Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with

<?php phpinfo(); ?>

and then call to get any information!

With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!


10 December 2008 at 9:59pm Community Member, 470 Posts

I would assume the general consensus is that you trust the users who have permission to access the admin area, and even more so the file uploads area.


10 December 2008 at 10:04pm Community Member, 49 Posts

But the ordinary content editor should be able to upload images, pdfs and the like.
He should not be able to access the whole system in this way by uploading code.