Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

general security issue with assets


Reply

3 Posts   1140 Views

Avatar
Kleinforstkoenig

7 April 2009 at 9:23pm (Last edited: 7 April 2009 9:33pm), Community Member, 3 Posts

I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.

Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.

A typical content editor has not the knowledge about what to upload or not.

greetings,
S.P

Avatar
Taffy

7 April 2009 at 10:14pm Community Member, 119 Posts

A community member has created a module that might help http://silverstripe.org/secure-files/

Avatar
FungshuiElephant

19 June 2009 at 3:06am (Last edited: 19 June 2009 3:11am), Community Member, 57 Posts

In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:

RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
RewriteRule .* assets/error-404.html

which basically looks for php files in the assets folder and redirects them to the error-404.html page.

(Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)