Exponentcms Exponent CMS → 2.4.1

Comments and changes to this ticket

• You flagged this item as spam.
  

  mm December 12th, 2016 @ 11:44 PM

  I disagree. This condition exists right now on exponentcms.org.

  I checked out the master branch https://github.com/exponentcms/exponent-cms/tree/master, installed it on Apache/2.4.18 (Ubuntu) running PHP 7.0.8 and was able to upload executable PHP files.

  "AllowOverride" is set to "All".

  Loaded Modules:
  core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) alias_module (shared) auth_basic_module (shared) authn_core_module (shared) authn_file_module (shared) authz_core_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) filter_module (shared) mime_module (shared) mpm_prefork_module (shared) negotiation_module (shared) php7_module (shared) setenvif_module (shared) status_module (shared)

  Might be relevant: https://blog.remirepo.net/post/2013/01/13/PHP-and-Apache-SetHandler...

  Actually, the .htaccess file shouldn't be necessary at all since you already have a whitelist of allowed extensions in the code.

  But it doesn't work, due to errors e.g. in line 442 in framework/modules/file/models/expFile.php:
  $handle->file_new_name_ext = ''; which prevents checks for malicious file extensions later on in line 3051 in framework/modules/pixidou/includes/class.upload/class.upload.php:
  if (!is_null($this->file_new_name_ext)) { // rename file ext

  Also, the (IMHO dangerous) .htaccess blacklist approach used by FilesMatch is missing PHP extensions such as ".php5".

• You flagged this item as spam.
  

  mm December 13th, 2016 @ 07:25 PM

  Since I saw the recent commits:

  The .htaccess file extension blacklist is not the right way to fix this vulnerability.

  It might work for you / your specific apache configuration. But:

  • If you would follow the PHP recommendations on how to configure apache (http://php.net/manual/en/install.unix.apache2.php), it won't work.

  • If you run Ubuntu (<FilesMatch ".+.ph(p[3457]?|t|tml)$">SetHandler application/x-httpd-php</FilesMatch>), it won't work any more.

  • If you run on a restrictive webhoster (AllowOverride None), it won't work.

  • ...

  Conclusion: As long as you don't add your specific apache configuration to the installation requirements, blacklists just won't work. Whitelists are the only way to go (see e.g. Wordpress).

  Regarding pixidou:

  If configured properly, it matches file names against a build-in blacklist in an attempt to prevent executable files from being uploaded. See e.g. line 2945: preg_match('/.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js)$/i', $this->file_src_name).

  Still, as this is a blacklist and blacklists are generally insecure, it won't solve anything.

• 

  expNinja December 14th, 2016 @ 07:45 PM

  • State changed from “open” to “resolved”

  (from [0dd7790352cabef4637ac826f22755038ffac152]) integrate class.upload to help process all file uploads and filter executables; moves class.upload from pixidou to /external; filters uploads through elFinder to same mime types as class.upload; better error response to XHR upload [#1402 state:resolved] https://github.com/exponentcms/exponent-cms/commit/0dd7790352cabef4...