ImageManager & ExtendedFileManager Security Patch

[gogo]

ImageManager has been found to be vulnerable to a security violation whereby an attacker can successfully upload a PHP (or other similar executable) into the demo_images area of a default unsecured Xinha installation and subsequently execute said file by performing a browser request.

People who require an immediate patch for an operative system will I think find the easiest way is to make a file called .htaccess in xinha/plugins/ImageManager/demo_images with the following contents.

<IfModule mod_php.c>
  php_flag engine off
</IfModule>
AddType text/html .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

I will shortly commit a quick changeset which corrects this behaviour by three means:

1. By checking for valid image extention names on upload and save from the image-editor.
2. By turning off upload ability in ImageManager and ExtendedFileManager by default - people must now properly configure the plugins and enable the ability to upload. This is contentious, but I think a sensible precaution given the severity.
3. By adding a .htaccess file as above to the demo_images folder of ImageManager, and a minor correction to the .htaccess of the demo_images folder of ExtendedFileManager

[gogo]

Patch committed in changeset:1143

[gogo]

The attacker who came to my attention exploiting this appears to be using Google to find exploitable installations.

[gogo]

If any Xinha developers would like a copy of the Apache log regarding this attack, please contact me off-trac.