17691 Posts in 4607 Topics by 2180 members
General Questions
SilverStripe Forums » General Questions » general security issue with assets
General questions about getting started with SilverStripe that don't fit in any of the categories above.
Moderators: martimiz, Howard, Sean, Ryan M., biapar, Willr, Ingo, swaiba
|
Page:
1
|
Go to End | |
| Author | Topic: | 828 Views |
-
general security issue with assets
7 April 2009 at 9:23pm Last edited: 7 April 2009 9:33pm
I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.A typical content editor has not the knowledge about what to upload or not.
greetings,
S.P -
Re: general security issue with assets
7 April 2009 at 10:14pm
A community member has created a module that might help http://silverstripe.org/secure-files/
-
Re: general security issue with assets
19 June 2009 at 3:06am Last edited: 19 June 2009 3:11am
In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:
RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
RewriteRule .* assets/error-404.htmlwhich basically looks for php files in the assets folder and redirects them to the error-404.html page.
(Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)
| 828 Views | ||
|
Page:
1
|
Go to Top |
