Serendipity Forums

In serendipity_uploadSecure function, the preg_replace pattern should accept only alphanumeric, numbers, ".", "_" and "-" characters, without the "/" character beacause this can lead to a upload path traversion vulnerability in Windows.
Example:
Consider the following userfile name: "../malicious.php" this will upload the local file in the directory below of where the php script should normally copies it.

raperu2000 [at] yahoo

Thanks for that information; I have patched the function to strip those characters with ".." as default.

I do not think that security implications are too high - a user needs access to a S9y installation to do this, and if he has access to upload images he can usually do much badder stuff with uploading custom plugins.

However in a hosted Serendipity environment with unprivileged users (which is basically possible, but I have not yet heard of anyone offering this yet) the implications are meaner. But those users should use currentl development snapshots.

Thanks,
Garvin.