SS-2014-012: File Upload Restrictions
- Severity:
- Medium (?)
- Identifier:
- SS-2014-012
- Versions Affected:
- 2.4, 3.0, 3.1
- Versions Fixed:
- 3.2, master
- Release Date:
- 2014-05-07
Certain file types have been removed from the default allowed extensions, as these have been deemed at risk of exploitation. As of 3.2, these may not be allowed to be uploaded via `UploadField` or `Upload` form fields by default, unless explicitly allowed. This risk has been identified not only on the front end, but also within the CMS.
Plain text formats XML, HTML, XHTML and HTM have been removed as they present a risk of javascript injection, which may hijack the session of unsuspecting viewers, including administrators and front-end users. This attack may be performed by script directly within the body of such documents, or linked externally.
SWF (adobe flash) has also been removed as a default uploadable format. Details of the risk this format poses, and workarounds to mitigate these risks in your production environment, can be found in the Security Documentation.