Opened 8 years ago

Closed 8 years ago

#1591 closed defect (invalid)

Security hole in Extended File Manager

Reported by: guest Owned by:
Priority: normal Milestone:
Component: Plugins Version: trunk
Severity: major Keywords: Extended File Manager
Cc: fernando.algarvio@…, guest

Description

Hi!

Extended File Manager allows browser access to photos and lets anyone delete files.

You can try it modifying the following url to your installation:

http://www.yoururl.com/xinha/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=images&mode=image&dir=/&viewtype=thumbview

Change History (3)

comment:1 Changed 8 years ago by gogo

  • Resolution set to invalid
  • Status changed from new to closed

No it doesn't. You must have a poor configuration or an old version. Ensure you properly configure your EFM and ImageManger?.

comment:2 Changed 8 years ago by guest

  • Cc guest added
  • Resolution invalid deleted
  • Status changed from closed to reopened

You can see the problem in Xinha demo instalation, right here:

http://xinha.raimundmeyer.de/latest/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=images&mode=image&viewtype=thumbview#

Isn't the permission to delete the files being denied by the operating system instead of the application? Should this screen appears called directly by the browser or should it only appears called by the editor? Isn't this the latest version?

comment:3 Changed 8 years ago by gogo

  • Resolution set to invalid
  • Status changed from reopened to closed

The folder opened is restricted to the the example (demo) images distributed with Xinha, it is fine for somebody to delete these if the developer has not config'd Xinha, who cares, they are only example images.

You can not escape the example images folder unless the developer specifically changes the config to another folder. If they change the config to another folder, then they would also change the other configuration items for EFM to meet their security requirements.

This is only a problem in my view if you have a way to escape the demo images folder with default EFM configuration. Such a way is not proven to exist.

Note: See TracTickets for help on using tickets.