Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

general security issue with assets


Go to End


3 Posts   1806 Views

Avatar
Kleinforstkoenig

Community Member, 3 Posts

7 April 2009 at 9:23pm

Edited: 07/04/2009 9:33pm

I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.

Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.

A typical content editor has not the knowledge about what to upload or not.

greetings,
S.P

Avatar
Taffy

Community Member, 119 Posts

7 April 2009 at 10:14pm

A community member has created a module that might help http://silverstripe.org/secure-files/

Avatar
FungshuiElephant

Community Member, 57 Posts

19 June 2009 at 3:06am

Edited: 19/06/2009 3:11am

In addition to Taffy's suggestion which should prevent execution you should be able to block the direct accessing of php files in the assets directory with a mod rewrite rule; something like:

RewriteCond %{REQUEST_URI} ^.*\/assets\/.*\.php$
RewriteRule .* assets/error-404.html

which basically looks for php files in the assets folder and redirects them to the error-404.html page.

(Obviously that will need to go above the other rewrite stuff that directs requests to the silverstripe code.)