Opened 12 years ago

Closed 7 years ago

#472 closed defect (fixed)

InsertPicture and security

Reported by: niko Owned by: gocher
Priority: normal Milestone: 2.0
Component: Xinha Core Version: trunk
Severity: critical Keywords: InsertPicture security
Cc:

Description

currently you can write in ANY directory where the www-user has write-rights by setting the localpicturepath, which is a big security hole.

you could use the same algorithm as ImageManager does to protect the settings.

Change History (5)

comment:1 Changed 12 years ago by gocher

  • Owner changed from gogo to gocher

I'm looking for a way to use one installation of Xinha for more than one Webside!
In the ImageManger? plugin (config.inc.php) there is only the way to set one path!

$IMConfig['images_url'] = str_replace( "backend.php", "", $_SERVER["PHP_SELF"] ) . "demo_images";

What can I do?

comment:2 Changed 12 years ago by niko

this is just the default-value which can be overwritten by other settings.
take a look at this wiki-page, the usage is explained there: ImageManager

and take a look at the bottom of config.inc.php

comment:3 Changed 11 years ago by anonymous

dgd gdf gdfg dfg

dfg dfg''''[' dfgdg dfg dfg''''']
----
''''''

==

comment:4 Changed 11 years ago by gogo

  • Milestone set to 2.0
  • Version set to trunk

Pushing this to 2.0 release for two reasons

  1. it's a non-critical plugin, ImageManager is there and secure
  2. fixing this will change how InsertPicture? is setup

comment:5 Changed 7 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed

changeset:1203

I have disabled InsertPicture? (which is now resident in unsupported_plugins), while I have not had any reports of it being attacked/compromised, I had a look at the code in there and it did not fill me with confidence.

It should be removed sometime, but for now the message will advise developers that they should upgrade to ImageManager and that InsertPicture? will go away soon.

Note: See TracTickets for help on using tickets.