Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo

Conceptional security issue with assets folder


Go to End


3 Posts   2508 Views

Avatar
freakout

Community Member, 49 Posts

10 December 2008 at 8:55pm

Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with

<?php phpinfo(); ?>

and then call http://www.silversite.com/assets/phpinfo.php to get any information!

With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!

Avatar
Liam

Community Member, 470 Posts

10 December 2008 at 9:59pm

I would assume the general consensus is that you trust the users who have permission to access the admin area, and even more so the file uploads area.

Avatar
freakout

Community Member, 49 Posts

10 December 2008 at 10:04pm

But the ordinary content editor should be able to upload images, pdfs and the like.
He should not be able to access the whole system in this way by uploading code.