Ticket #1515 (closed defect: fixed)
Security Issue - Corruption Potential
|Reported by:||gogo||Owned by:||gogo|
The compressors in the contrib folder, files compress.php and compress_yui.php, can be commonly found in installations of Xinha online and are potentially (probably) executable from the web simply by hitting the URL to the file.
In cases where the files are executed and java does not exist, the likely result is corruption of all the files on which compression is attempted, in the form...
/* This compressed file is part of Xinha. For uncompressed sources, forum, and bug reports, go to xinha.org */ sh: java: command not found
other issues may cause similar corrupting results.
Many servers these days use suPHP or other methods to execute PHP scripts through the web server as the user owning the script, and thus the user likely has write access to all the Xinha files.
Many shared servers won't have java installed.
The potential for corruption is large, so all users should ensure that they take the following steps to prevent this..
- You could delete the contrib/compress.php and compress_yui.php files
- You could remove read permissions from the files to anybody
- You could install something like the following .htaccess file in the contrib folder
<IfModule mod_php.c> php_flag engine off </IfModule> AddType text/html .html .htm .shtml .php .php3 .php4 .php5 .php6 .php7 .php8 .phtml .phtm .pl .py .cgi RemoveHandler .php RemoveHandler .php8 RemoveHandler .php7 RemoveHandler .php6 RemoveHandler .php5 RemoveHandler .php4 RemoveHandler .php3
The following changeset will add such an .htaccess and also some protection that if java does fail in this manner, the corruption won't occur anyway.