2011-05-19, 19:26:17
hameau Wrote:bugman Wrote:If any product with typical installation out-of-box allow either admin or ordial user to acces files/directotires they're not granted - it's a security hole for me.I hear what you say and I agree with your logic.
Sorry guys, it's a bug but not a security hole.
Even if the GetSimple administrator is not FTP user at the same time, he has - by design - the ability to change the template and add components using the GetSimple administration. There he can enter any PHP code and thus access anything that PHP on this server is allowed to access. The bug in the upload and file selection functionality does not give him additional rights, it makes it just easier.
I would be a security issue in a more complex CMS with multiple users and different rights per user, where it's not possible for the user to enter PHP code, but as soon as a user can enter PHP code by design (as a feature), any bugs in PHP code that is only accessible to him, can't be a security hole.
And if PHP is allowed to access anything above the webroot that's a problem with the webspace and webserver setup.