Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

general security issue with assets


Reply


3 Posts   1212 Views

Avatar
Kleinforstkoenig

Community Member, 3 Posts

7 April 2009 at 9:23pm

Edited: 07/04/2009 9:33pm

I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.

Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.

A typical content editor has not the knowledge about what to upload or not.

greetings,
S.P

Avatar
Taffy

Community Member, 119 Posts

7 April 2009 at 10:14pm

A community member has created a module that might help http://silverstripe.org/secure-files/

Avatar
FungshuiElephant

Community Member, 57 Posts

19 June 2009 at 3:06am

Edited: 19/06/2009 3:11am

In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:

RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
RewriteRule .* assets/error-404.html

which basically looks for php files in the assets folder and redirects them to the error-404.html page.

(Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)