Ticket #1363 (closed defect: fixed)
ImageManager & ExtendedFileManager Security Patch
|Reported by:||gogo||Owned by:|
ImageManager has been found to be vulnerable to a security violation whereby an attacker can successfully upload a PHP (or other similar executable) into the demo_images area of a default unsecured Xinha installation and subsequently execute said file by performing a browser request.
People who require an immediate patch for an operative system will I think find the easiest way is to make a file called .htaccess in xinha/plugins/ImageManager/demo_images with the following contents.
<IfModule mod_php.c> php_flag engine off </IfModule> AddType text/html .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
I will shortly commit a quick changeset which corrects this behaviour by three means:
- By checking for valid image extention names on upload and save from the image-editor.
- By turning off upload ability in ImageManager and ExtendedFileManager by default - people must now properly configure the plugins and enable the ability to upload. This is contentious, but I think a sensible precaution given the severity.
- By adding a .htaccess file as above to the demo_images folder of ImageManager, and a minor correction to the .htaccess of the demo_images folder of ExtendedFileManager