On Sat, Jan 30, 2010 at 5:08 PM, Éric Rogé <[email protected]> wrote:
> Huge security issue in the "uploads" directory First, please use the [email protected] email address for reporting security issues. I wouldn't see a zero day exploit here. Too late, okay. > <?php echo file_get_contents('../../config/databases.yml'); ?> > Go to the admin > http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new > (use "admin" as login and password) > In the thumbnail field, you can upload any php file, it will be > published online.... Just tried it, and the hack works indeed, I managed to access the databases.yml file content, and the database password. "Outch", as you said. But the problem is that *every* mime type is visibly allowed in the mentioned form, and that's a *very* bad practice. I don't really think it's a Symfony job to prevent these kind of misuses. What about people deploying symfony apps with the project root as the web server document root? Just getting http://toto.com/config/databases.yml has the very same result. Should we then add .htaccess files everywhere over ./web? Should we add <?php exit('No direct access is allowed'); lines on top of every lib/config file? Come on, it's 2010. > Php should definitively be disabled by default in the uploads > directory : > > <Directory "/path/to/my/sfProject/web/uploads"> > php_flag engine off > </Directory> As we already provide a .htaccess file (which is Apache oriented), I think it would be a good idea to add it by default. But to me a better patch would be *education*. Maybe a blog post on the symfony blog regarding this particular issue would help spreading the word regarding best practices against file validation. ++ -- Nicolas Perriault http://prendreuncafe.com - http://symfonians.net Mobile: +33 660 92 08 67 -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
