Opened 7 years ago

Closed 7 years ago

#1515 closed defect (fixed)

Security Issue - Corruption Potential

Reported by: gogo Owned by: gogo
Priority: normal Milestone: 0.96
Component: Xinha Core Version: trunk
Severity: major Keywords:
Cc:

Description

The compressors in the contrib folder, files compress.php and compress_yui.php, can be commonly found in installations of Xinha online and are potentially (probably) executable from the web simply by hitting the URL to the file.

In cases where the files are executed and java does not exist, the likely result is corruption of all the files on which compression is attempted, in the form...

/* This compressed file is part of Xinha. For uncompressed sources, forum, and bug reports, go to xinha.org */
sh: java: command not found

other issues may cause similar corrupting results.

Many servers these days use suPHP or other methods to execute PHP scripts through the web server as the user owning the script, and thus the user likely has write access to all the Xinha files.

Many shared servers won't have java installed.

The potential for corruption is large, so all users should ensure that they take the following steps to prevent this..

  1. You could delete the contrib/compress.php and compress_yui.php files
  2. You could remove read permissions from the files to anybody
  3. You could install something like the following .htaccess file in the contrib folder
    <IfModule mod_php.c>
     php_flag engine off
    </IfModule>
    AddType text/html .html .htm .shtml .php .php3 .php4 .php5 .php6 .php7 .php8 .phtml .phtm .pl .py .cgi
    RemoveHandler .php
    RemoveHandler .php8
    RemoveHandler .php7
    RemoveHandler .php6
    RemoveHandler .php5
    RemoveHandler .php4
    RemoveHandler .php3
    

The following changeset will add such an .htaccess and also some protection that if java does fail in this manner, the corruption won't occur anyway.

Change History (3)

comment:2 Changed 7 years ago by gogo

Leaving open so people will notice.

comment:3 Changed 7 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.