On 1/30/10 5:16 PM, Tom Boutell wrote:
This is not a bug in Symfony. Being smart with files and never, ever
blindly trusting file extensions uploaded by end users (!!!) is up to
the developer.
However, it would indeed be very straightforward to block as you
suggest, so dropping a .htaccess to that effect in the web/uploads
folder of a newly generated project might be a good idea. Just as the
Propel and Doctrine ORMs make it naturally difficult to goof and
execute user input as SQL code, such a .htaccess file would make
things a little safer "out of the box" for file upload management.
And what if you don't use Apache? Or if .htaccess are not allowed in
your Apache configuration?
As you said, I think this is up to the developer to take care of this.
Fabien
As for Diem, you logged in as an admin who should presumably have all
privileges, so I think you should check and make sure this is really
permitted for an "ordinary" Diem user before you rush to the
conclusion that it is a security hole in Diem.
(Our Apostrophe CMS does limit what can be uploaded. But Apostrophe
has seen a lot of deployment in environments with many users where
that sort of caution is warranted.)
On Sat, Jan 30, 2010 at 11:08 AM, Éric Rogé<[email protected]> wrote:
THE ISSUE
When a user uploads a file in a form, Symfony stores it by default in
the "web/uploads" directory and the files in that directory can be
reach by any user.
Imagine : a hacker succeed to upload a file named attack.php that
contents that line:
<?php echo file_get_contents('../../config/databases.yml'); ?>
We see what I mean ? Outch.
What does the hacker needs ? Just a form that doesn't check well
enough the uploaded files extensions.
How the hell could it happen ? By at least 3 ways :
1/ The developer doesn't know his job or has been lazy : Checking file
types ? Why ? How ?
2/ The developer wanted to build a flexible app
A job application, users have to upload their CV. Which extensions
should I accept in this form ? Hmmm, Pdf for sure. And Word files. And
Pages. And Open Office and Rtf and... Come on ! Let's just say that
all files are welcome as long as they aren't too big !
3/ Trickier one : Php is turned on in unusual files extensions
A myspace-like service lets users upload their own css for their
private space.
Few weeks later, php is turned on in css files to add a brand new cool
feature. Great, now the hacker just have to upload an attack.css file
with php in it...
REAL LIVE SAMPLE
I'm afraid that these kind of forms are very easy to find.
The first I've found : the Diem project
Go to the admin
http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new
(use "admin" as login and password)
In the thumbnail field, you can upload any php file, it will be
published online....
FIX PROPOSAL
Php should definitively be disabled by default in the uploads
directory :
<Directory "/path/to/my/sfProject/web/uploads">
php_flag engine off
</Directory>
The fix could release in a .htaccess added to the uploads directory. I
think it should be easiest way for many symfony users.
--
You received this message because you are subscribed to the Google Groups "symfony
developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en.
--
You received this message because you are subscribed to the Google Groups "symfony
developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en.
