An article about this in the Wiki might be a good idea in the meanwhile. I was concerned about the security problems with Symfony and traditional shared hosting (in a nutshell, don't do it), so I made sure the Wiki pages about shared hosting and Symfony explained why it's a bad idea (unless it's a chroot jail sort of setup in which other clients can't reach your juicy cache folder crammed to the gills with tasty world-writable .php files (: ). Google searches for symfony shared hosting bring that information right up. A concerned party could achieve the same result for an article about safe file uploads.
On Sun, Jan 31, 2010 at 8:37 AM, Nicolas Perriault <[email protected]> wrote: > On Sat, Jan 30, 2010 at 5:08 PM, Éric Rogé <[email protected]> wrote: > >> Huge security issue in the "uploads" directory > > First, please use the [email protected] email address for > reporting security issues. I wouldn't see a zero day exploit here. Too > late, okay. > >> <?php echo file_get_contents('../../config/databases.yml'); ?> >> Go to the admin >> http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new >> (use "admin" as login and password) >> In the thumbnail field, you can upload any php file, it will be >> published online.... > > Just tried it, and the hack works indeed, I managed to access the > databases.yml file content, and the database password. "Outch", as you > said. > > But the problem is that *every* mime type is visibly allowed in the > mentioned form, and that's a *very* bad practice. I don't really think > it's a Symfony job to prevent these kind of misuses. What about people > deploying symfony apps with the project root as the web server > document root? Just getting http://toto.com/config/databases.yml has > the very same result. Should we then add .htaccess files everywhere > over ./web? Should we add <?php exit('No direct access is allowed'); > lines on top of every lib/config file? Come on, it's 2010. > >> Php should definitively be disabled by default in the uploads >> directory : >> >> <Directory "/path/to/my/sfProject/web/uploads"> >> php_flag engine off >> </Directory> > > As we already provide a .htaccess file (which is Apache oriented), I > think it would be a good idea to add it by default. But to me a better > patch would be *education*. Maybe a blog post on the symfony blog > regarding this particular issue would help spreading the word > regarding best practices against file validation. > > ++ > > -- > Nicolas Perriault > http://prendreuncafe.com - http://symfonians.net > Mobile: +33 660 92 08 67 > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
