PEAK XOOPS - Re: Protector protects from a legitimate upload. in englishin japanese

Top > XOOPS Modules >Protector >Protector protects from a legitimate upload.

Re: Protector protects from a legitimate upload.

List posts in the topic

none Re: Protector protects from a legitimate upload.

msg# 1.3.1
depth:
2
Previous post - Next post | Parent - No child | Posted on 2007/8/29 5:32 | Last modified
GIJOE  ÀèǤ·³Áâ   Posts: 4110
which do you mean "you" ?

Perhaps, "directory traversal" would be irrelevant with this issue.

Quote:

Dave_L wrotes:
Are you talking about filenames with consecutive periods (../foo/bar.txt) or non-consecutive periods (foo.tar.gz)?
"tar.gz" is the only exception. (treated as .tgz innerly)
You can upload foo.tar.gz with the setting on.

Quote:
I think the latter (non-consecutive periods) is blocked if the "Exit if bad files are uploaded" setting in the Protector module preferences is enabled. This is implemented in Protector::check_uploaded_files() in trust_path/modules/protector/class/protector.php.

I have this setting disabled.

I don't recommend "disable the setting".
There are some modules with the vulnerability about multiple dot. (Just checking by a simple black list...)

You know these files can be treated as parsable PHP with apache.

foo.php.bar
foo.php.en.anonymous

Thus, Protector inhibits such extensions in $_FILES[]['name']

Of course, all modules should ignore $_FILES[]['name'] if the file is placed under DocumentRoot.
And you can turn this off when all modules are free from such vulnerability.

However, when I read some major modules released from xoops.org some months ago, there are NO modules without the vulnerability...
Votes:12 Average:4.17

Posts tree

  Advanced search

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!