Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2052 closed defect (fixed)

File Extension interchangeable

Reported by: robin.glauser Owned by: comvation
Priority: normal Milestone: Contrexx 3.2
Component: Media Version: 3.1.1
Severity: critical Keywords: FWValidator, media, extension, filename
Cc:

Description (last modified by michael.ritter)

You can change the file extension in the filebrowser by removing the readonly attribute on the inputfield of the fileextension name.

With this you could upload a php file with the name exploit.php.zip and after the upload rename it to exploit.php

The problem lies in the file /core_modules/media/mediaLib.class.php on about line 342, where it uses FWValidator::is_file_ending_harmless($_POST['renName'].$_POST['renExt']) which is missing the point between the extension and the filename. Because of this the FWValidator::is_file_ending_harmless method doesn't recognise the exploit, but uses a point for the real filename $fileName = $fileName.'.'.$ext;

Change History (2)

comment:1 Changed 4 years ago by robin.glauser

  • Resolution set to fixed
  • Status changed from new to closed

(In [b5e2565bea59363851f9377de76f791b40211610]) (fixed #2052): File Extension interchangeable

comment:2 Changed 4 years ago by michael.ritter

  • Description modified (diff)
  • Milestone changed from unknown to Contrexx 3.2
Note: See TracTickets for help on using tickets.