Jump to:

22993 Posts in 11829 Topics by 2827 members

General Questions

SilverStripe Forums » General Questions » general security issue with assets

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 1074 Views
  • Kleinforstkoenig
    Avatar
    Community Member
    3 Posts

    general security issue with assets Link to this post

    I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
    by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
    This files can be executed by everybody, so its possible to query/drop the whole database.

    Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
    I think this could be a big problem while thinking of social engineering issues.

    A typical content editor has not the knowledge about what to upload or not.

    greetings,
    S.P

  • Taffy
    Avatar
    Community Member
    119 Posts

    Re: general security issue with assets Link to this post

    A community member has created a module that might help http://silverstripe.org/secure-files/

  • FungshuiElephant
    Avatar
    Community Member
    57 Posts

    Re: general security issue with assets Link to this post

    In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:

    RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
    RewriteRule .* assets/error-404.html

    which basically looks for php files in the assets folder and redirects them to the error-404.html page.

    (Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)

    1074 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.