Comments and changes to this ticket
-
mm December 12th, 2016 @ 11:44 PM
I disagree. This condition exists right now on exponentcms.org.
I checked out the master branch https://github.com/exponentcms/exponent-cms/tree/master, installed it on Apache/2.4.18 (Ubuntu) running PHP 7.0.8 and was able to upload executable PHP files.
"AllowOverride" is set to "All".
Loaded Modules:
core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) alias_module (shared) auth_basic_module (shared) authn_core_module (shared) authn_file_module (shared) authz_core_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) filter_module (shared) mime_module (shared) mpm_prefork_module (shared) negotiation_module (shared) php7_module (shared) setenvif_module (shared) status_module (shared)Might be relevant: https://blog.remirepo.net/post/2013/01/13/PHP-and-Apache-SetHandler...
Actually, the .htaccess file shouldn't be necessary at all since you already have a whitelist of allowed extensions in the code.
But it doesn't work, due to errors e.g. in line 442 in framework/modules/file/models/expFile.php:
$handle->file_new_name_ext = ''; which prevents checks for malicious file extensions later on in line 3051 in framework/modules/pixidou/includes/class.upload/class.upload.php:
if (!is_null($this->file_new_name_ext)) { // rename file extAlso, the (IMHO dangerous) .htaccess blacklist approach used by FilesMatch is missing PHP extensions such as ".php5".
-
mm December 13th, 2016 @ 07:25 PM
Since I saw the recent commits:
The .htaccess file extension blacklist is not the right way to fix this vulnerability.
It might work for you / your specific apache configuration. But:
-
If you would follow the PHP recommendations on how to configure apache (http://php.net/manual/en/install.unix.apache2.php), it won't work.
-
If you run Ubuntu (<FilesMatch ".+.ph(p[3457]?|t|tml)$">SetHandler application/x-httpd-php</FilesMatch>), it won't work any more.
-
If you run on a restrictive webhoster (AllowOverride None), it won't work.
-
...
Conclusion: As long as you don't add your specific apache configuration to the installation requirements, blacklists just won't work. Whitelists are the only way to go (see e.g. Wordpress).
Regarding pixidou:
If configured properly, it matches file names against a build-in blacklist in an attempt to prevent executable files from being uploaded. See e.g. line 2945: preg_match('/.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js)$/i', $this->file_src_name).
Still, as this is a blacklist and blacklists are generally insecure, it won't solve anything.
-
-
expNinja December 14th, 2016 @ 07:45 PM
- State changed from open to resolved
(from [0dd7790352cabef4637ac826f22755038ffac152]) integrate class.upload to help process all file uploads and filter executables; moves class.upload from pixidou to /external; filters uploads through elFinder to same mime types as class.upload; better error response to XHR upload [#1402 state:resolved] https://github.com/exponentcms/exponent-cms/commit/0dd7790352cabef4...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
Referenced by
- 1405 Exponent CMS 2.4.1 Patch 1 - Unrestricted File Upload Vulnerability As it has already been pointed out (https://exponentcms.l...