In serendipity_uploadSecure function, the preg_replace pattern should accept only alphanumeric, numbers, ".", "_" and "-" characters, without the "/" character beacause this can lead to a upload path traversion vulnerability in Windows.
Example:
Consider the following userfile name: "../malicious.php" this will upload the local file in the directory below of where the php script should normally copies it.
raperu2000 [at] yahoo
serendipity_uploadSecure bug
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: serendipity_uploadSecure bug
Thanks for that information; I have patched the function to strip those characters with ".." as default.
I do not think that security implications are too high - a user needs access to a S9y installation to do this, and if he has access to upload images he can usually do much badder stuff with uploading custom plugins.
However in a hosted Serendipity environment with unprivileged users (which is basically possible, but I have not yet heard of anyone offering this yet) the implications are meaner. But those users should use currentl development snapshots.
Thanks,
Garvin.
I do not think that security implications are too high - a user needs access to a S9y installation to do this, and if he has access to upload images he can usually do much badder stuff with uploading custom plugins.
However in a hosted Serendipity environment with unprivileged users (which is basically possible, but I have not yet heard of anyone offering this yet) the implications are meaner. But those users should use currentl development snapshots.
Thanks,
Garvin.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/