Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1363 closed defect (fixed)

ImageManager & ExtendedFileManager Security Patch

Reported by: gogo Owned by:
Priority: normal Milestone: 0.96
Component: Plugins Version: trunk
Severity: major Keywords:
Cc:

Description

ImageManager has been found to be vulnerable to a security violation whereby an attacker can successfully upload a PHP (or other similar executable) into the demo_images area of a default unsecured Xinha installation and subsequently execute said file by performing a browser request.

People who require an immediate patch for an operative system will I think find the easiest way is to make a file called .htaccess in xinha/plugins/ImageManager/demo_images with the following contents.

<IfModule mod_php.c>
  php_flag engine off
</IfModule>
AddType text/html .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

I will shortly commit a quick changeset which corrects this behaviour by three means:

  1. By checking for valid image extention names on upload and save from the image-editor.
  2. By turning off upload ability in ImageManager and ExtendedFileManager by default - people must now properly configure the plugins and enable the ability to upload. This is contentious, but I think a sensible precaution given the severity.
  3. By adding a .htaccess file as above to the demo_images folder of ImageManager, and a minor correction to the .htaccess of the demo_images folder of ExtendedFileManager

Change History (3)

comment:1 Changed 8 years ago by gogo

Patch committed in changeset:1143

comment:2 Changed 8 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed

The attacker who came to my attention exploiting this appears to be using Google to find exploitable installations.

comment:3 Changed 8 years ago by gogo

If any Xinha developers would like a copy of the Apache log regarding this attack, please contact me off-trac.

Note: See TracTickets for help on using tickets.