21307 Posts in 5737 Topics by 2603 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 974 Views |
-
general security issue with assets
7 April 2009 at 9:23pm Last edited: 7 April 2009 9:33pm
I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.A typical content editor has not the knowledge about what to upload or not.
greetings,
S.P -
Re: general security issue with assets
7 April 2009 at 10:14pm
A community member has created a module that might help http://silverstripe.org/secure-files/
-
Re: general security issue with assets
19 June 2009 at 3:06am Last edited: 19 June 2009 3:11am
In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:
RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
RewriteRule .* assets/error-404.htmlwhich basically looks for php files in the assets folder and redirects them to the error-404.html page.
(Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)
| 974 Views | ||
|
Page:
1
|
Go to Top |
