Ticket #472 (closed defect: fixed)

Opened 8 years ago

Last modified 4 years ago

InsertPicture and security

Reported by: niko Owned by: gocher
Priority: normal Milestone: 2.0
Component: Xinha Core Version: trunk
Severity: critical Keywords: InsertPicture security
Cc:

Description

currently you can write in ANY directory where the www-user has write-rights by setting the localpicturepath, which is a big security hole.

you could use the same algorithm as ImageManager does to protect the settings.

Change History

Changed 8 years ago by gocher

  • owner changed from gogo to gocher

I'm looking for a way to use one installation of Xinha for more than one Webside! In the ImageManger? plugin (config.inc.php) there is only the way to set one path! 

$IMConfig['images_url'] = str_replace( "backend.php", "", $_SERVER["PHP_SELF"] ) . "demo_images";

What can I do?

Changed 8 years ago by niko

this is just the default-value which can be overwritten by other settings. take a look at this wiki-page, the usage is explained there: ImageManager

and take a look at the bottom of config.inc.php

Changed 8 years ago by anonymous

== dgd gdf gdfg dfg 

dfg dfg''''[' dfgdg dfg dfg''''']
----
''''''

==

Changed 8 years ago by gogo

  • version set to trunk
  • milestone set to 2.0

Pushing this to 2.0 release for two reasons 1. it's a non-critical plugin, ImageManager is there and secure 2. fixing this will change how InsertPicture? is setup

Changed 4 years ago by gogo

  • status changed from new to closed
  • resolution set to fixed

changeset:1203

I have disabled InsertPicture? (which is now resident in unsupported_plugins), while I have not had any reports of it being attacked/compromised, I had a look at the code in there and it did not fill me with confidence.

It should be removed sometime, but for now the message will advise developers that they should upgrade to ImageManager and that InsertPicture? will go away soon.

Note: See TracTickets for help on using tickets.