Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security issue with "Files" admin module
#1
I've found, that user can access files and folder outside default "uploads" folder by just adding "../" to url like that:
Quote:http://sitename.com/admin/upload.php?path=../
This is kind of security hole for VDS hosting, when one has multiple websites owned by only user (usually [apache:apache] or [httpd:httpd]) and relies on application's logic handling web user permissions.
Reply
#2
bugman Wrote:I'v found, that user can access files and folder outside default "uploads" folder by just adding "../" to url like that:
Quote:http://sitename.com/admin/upload.php?path=../
This is kind of security hole for VDS hosting, when one has multiple websites owned by only user (usually apache:apache or httdp:httdp) and relies on application's logic handling web user permissions.

Luckily this can only be done by the GetSimple administrator, who normally will be the same person as the FTP user. And as FTP user he can upload/change any PHP files, so this bug won't give him more rights.

It is only a problem, if somebody would install several GetSimple instances (or other applications) under the same user and give them to different customers without an FTP access. But this is really bad practice.

Anyway, in the plugins I18N Gallery and I18N Custom Fields I have a simple filter, which could be used in the administration, too:
Code:
$subPath = preg_replace('/\.+\//','',$_GET['path']);
I18N, I18N Search, I18N Gallery, I18N Special Pages - essential plugins for multi-language sites.
Reply
#3
For general security, we always suggest to add .htaccess files to folders,

this directive in the main .htaccess file in the root will stop file-lists when there is no index-file:

Code:
Options -Indexes

See here our security tips in the WIKI: http://get-simple.info/wiki/security
|--

Das deutschsprachige GetSimple-(Unter-)Forum:   http://get-simple.info/forums/forumdisplay.php?fid=18
Reply
#4
Connie Wrote:this directive in the main .htaccess file in the root will stop file-lists
This is not the issue here. Using the URL in the OP, is it possible to gain access to directories above /data/uploads from within the backend file management feature. As mvlcek points out, it's only an issue with multiple installations on the same server, with common account names and passwords.

Nevertheless, I think this is one occasion where the system could usefully protect a site admin from his own stupidity and prevent this cross-installation vulnerability.

Actually, I can see a situation where a user (client, for example) might have legitimate, but limited, access to more than one site on the same server and set himself a common username and password for convenience. That could be damaging if exploited.
--
Nick.
Reply
#5
I disagree with you guys. If any product with typical installation out-of-box allow either admin or ordial user to acces files/directotires they're not granted - it's a security hole for me. If File module was primary goal to reach the upload's (and it's children) folder - then no other (parent) folder should be accessed. I think of it like a chroot in linux.
Reply
#6
Thanks for pointing this out, Ill add it to the SVN and get it sorted ASAP.

Mike
My Github Repos: Github
Website: DigiMute
Reply
#7
bugman Wrote:If any product with typical installation out-of-box allow either admin or ordial user to acces files/directotires they're not granted - it's a security hole for me.
I hear what you say and I agree with your logic.

I just tried adding more levels of ../ to the URL and I can get back to the filesystem root to view directory contents (I can't do anything to them as the server permissions prevent that). This is not on a properly hardened commercial production server, so it may not be a true indication.

So, I would like to change my view and say that it certainly needs to be addressed.
--
Nick.
Reply
#8
hameau Wrote:
bugman Wrote:If any product with typical installation out-of-box allow either admin or ordial user to acces files/directotires they're not granted - it's a security hole for me.
I hear what you say and I agree with your logic.

Sorry guys, it's a bug but not a security hole.

Even if the GetSimple administrator is not FTP user at the same time, he has - by design - the ability to change the template and add components using the GetSimple administration. There he can enter any PHP code and thus access anything that PHP on this server is allowed to access. The bug in the upload and file selection functionality does not give him additional rights, it makes it just easier.

I would be a security issue in a more complex CMS with multiple users and different rights per user, where it's not possible for the user to enter PHP code, but as soon as a user can enter PHP code by design (as a feature), any bugs in PHP code that is only accessible to him, can't be a security hole.

And if PHP is allowed to access anything above the webroot that's a problem with the webspace and webserver setup.
I18N, I18N Search, I18N Gallery, I18N Special Pages - essential plugins for multi-language sites.
Reply
#9
mvlcek Wrote:I would be a security issue in a more complex CMS with multiple users and different rights per user, where it's not possible for the user to enter PHP code, but as soon as a user can enter PHP code by design (as a feature), any bugs in PHP code that is only accessible to him, can't be a security hole.

That was my point. I've been keeping it in mind but not telling Smile Third version of GS allows multiusers, further there's a plugin - "Multi User" where you can create a kind of unprivileged user - site editor, for example. You think of granting him "editing", "pages" and "uploads" only, but he's gonna list or even download other files (full backups of GS, which contains hashes of passwords etc.)

Judging to mr. n00dles101 - it seems that this topic is over. Thanks everyone for interesting discussion.
Reply
#10
mvlcek Wrote:And if PHP is allowed to access anything above the webroot that's a problem with the webspace and webserver setup.
Point taken.
--
Nick.
Reply




Users browsing this thread: 2 Guest(s)