Posts: 321
Threads: 15
Joined: Feb 2012
2013-12-26, 08:11:55
(This post was last modified: 2013-12-26, 08:15:32 by D.O..)
My website made with GetSimple CMS is
Arte & Società
www.artesocieta.eu
An indipendent website about Italian Contemporary Visual Arts
Posts: 6,266
Threads: 181
Joined: Sep 2011
IMHO it's a bullshit vulnerability.
Regardless, we now have whitelist capability in later versions.
Posts: 321
Threads: 15
Joined: Feb 2012
2013-12-26, 16:51:25
(This post was last modified: 2013-12-26, 16:52:39 by D.O..)
Thanks for the replying Shawn.
I am glad to hear this, in fact, as the sites say the solutions should be...
- The application should use whitelisting technique which compare the file extensions and mime types aganist
- acceptable mime types and extensions for more information google for "whitelisting vs blacklisting
Anyway, I'm going to look around to report other stuff about hypothetical GS vulnerabilities.
(2013-12-26, 14:13:43)shawn_a Wrote: IMHO it's a bullshit vulnerability.
Regardless, we now have whitelist capability in later versions.
My website made with GetSimple CMS is
Arte & Società
www.artesocieta.eu
An indipendent website about Italian Contemporary Visual Arts
Posts: 6,266
Threads: 181
Joined: Sep 2011
Well this is an authenticated upload, not some public thing. Who would you be protecting against ?
We do not even have real multi user support, so not users.
Of course you can rename a file extension, it is like a giant no shit sherlock.
If you have front side uploads then security needs to be handled much different.
Posts: 321
Threads: 15
Joined: Feb 2012
I got it.
It's a ph00kin' false allarme :-D
(2013-12-27, 01:03:39)shawn_a Wrote: Well this is an authenticated upload, not some public thing. Who would you be protecting against ?
We do not even have real multi user support, so not users.
Of course you can rename a file extension, it is like a giant no shit sherlock.
If you have front side uploads then security needs to be handled much different.
My website made with GetSimple CMS is
Arte & Società
www.artesocieta.eu
An indipendent website about Italian Contemporary Visual Arts