Opened 15 years ago

Closed 11 years ago

#472 closed defect (fixed)

InsertPicture and security

Reported by: niko Owned by: gocher
Priority: normal Milestone: 2.0
Component: Xinha Core Version: trunk
Severity: critical Keywords: InsertPicture security


currently you can write in ANY directory where the www-user has write-rights by setting the localpicturepath, which is a big security hole.

you could use the same algorithm as ImageManager? does to protect the settings.

Change History (5)

comment:1 Changed 15 years ago by gocher

  • Owner changed from gogo to gocher

I'm looking for a way to use one installation of Xinha for more than one Webside!
In the ImageManger? plugin ( there is only the way to set one path!

$IMConfig['images_url'] = str_replace( "backend.php", "", $_SERVER["PHP_SELF"] ) . "demo_images";

What can I do?

comment:2 Changed 15 years ago by niko

this is just the default-value which can be overwritten by other settings.
take a look at this wiki-page, the usage is explained there: ImageManager?

and take a look at the bottom of

comment:3 Changed 15 years ago by anonymous

dgd gdf gdfg dfg

dfg dfg''''[' dfgdg dfg dfg''''']


comment:4 Changed 15 years ago by gogo

  • Milestone set to 2.0
  • Version set to trunk

Pushing this to 2.0 release for two reasons

  1. it's a non-critical plugin, ImageManager? is there and secure
  2. fixing this will change how InsertPicture? is setup

comment:5 Changed 11 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed


I have disabled InsertPicture? (which is now resident in unsupported_plugins), while I have not had any reports of it being attacked/compromised, I had a look at the code in there and it did not fill me with confidence.

It should be removed sometime, but for now the message will advise developers that they should upgrade to ImageManager? and that InsertPicture? will go away soon.

Note: See TracTickets for help on using tickets.