Bug #7061
Static elements allow access to config files when not allowed
| Status: | Resolved | Start date: | 02/10/2012 | |
|---|---|---|---|---|
| Priority: | Critical | Due date: | ||
| Assignee: |  Shaun McCormick |
% Done: | 100% |
|
| Category: | Security | |||
| Target version: | Revolution-2.2.1-pl | |||
| JiraID: | Resolution: | Fixed | ||
| Environment: | Tested on debian/apache using latest PHP | Affects Revolution Version: | Revolution-2.2.0-pl2 |
Description
Using 'static' inside a template (or other element) the user can read any file on the server.
How to reproduce:
- adjust the default media source base path/URL to '/upload/' to limit the user to the upload folder
- confirm you now only see the contents of the 'upload' folder inside the file manager
- create a new template
- select static
- enter '../core/config/config.inc.php' as static file path
- save
- contents of config.inc.php show up as template content
This can cause some serious problems. Using the info in this file a user can change his own permissions inside phpMyAdmin!
History
Updated by Shaun McCormick 3 months ago
- Status changed from Open to Assigned
- Target version set to Revolution-2.2.1-pl
- Resolution set to Confirmed
Updated by Shaun McCormick 3 months ago
- Status changed from Assigned to Resolved
- Assignee set to Shaun McCormick
- % Done changed from 0 to 100
- Resolution changed from Confirmed to Fixed
Updated by Jeroen Kenters 3 months ago
If I read the commit correctly the code only denies access to the /core directory, where it should deny access to any file outside the media source root.