THE ISSUE
When a user uploads a file in a form, Symfony stores it by default in
the "web/uploads" directory and the files in that directory can be
reach by any user.
Imagine : a hacker succeed to upload a file named attack.php that
contents that line:
<?php echo file_get_contents('../../config/databases.yml'); ?>
We see what I mean ? Outch.
What does the hacker needs ? Just a form that doesn't check well
enough the uploaded files extensions.
How the hell could it happen ? By at least 3 ways :
1/ The developer doesn't know his job or has been lazy : Checking file
types ? Why ? How ?
2/ The developer wanted to build a flexible app
A job application, users have to upload their CV. Which extensions
should I accept in this form ? Hmmm, Pdf for sure. And Word files. And
Pages. And Open Office and Rtf and... Come on ! Let's just say that
all files are welcome as long as they aren't too big !
3/ Trickier one : Php is turned on in unusual files extensions
A myspace-like service lets users upload their own css for their
private space.
Few weeks later, php is turned on in css files to add a brand new cool
feature. Great, now the hacker just have to upload an attack.css file
with php in it...
REAL LIVE SAMPLE
I'm afraid that these kind of forms are very easy to find.
The first I've found : the Diem project
Go to the admin
http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new
(use "admin" as login and password)
In the thumbnail field, you can upload any php file, it will be
published online....
FIX PROPOSAL
Php should definitively be disabled by default in the uploads
directory :
<Directory "/path/to/my/sfProject/web/uploads">
php_flag engine off
</Directory>
The fix could release in a .htaccess added to the uploads directory. I
think it should be easiest way for many symfony users.
--
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en.
