We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Mark Huot File Upload Allowing PHP Scripts

August 16, 2010 12:54pm

Subscribe [3]

  • #1 / Aug 16, 2010 12:54pm

    Liam Spencer

    37 posts

    Hi, it is me again!

    A problem that our penetration test team picked out was that when using Mark Huot’s File extension, they could upload PHP scripts to the server and use these scripts to hack the system. Basically in my clients website, the user can upload a profile picture using the file upload, and there seems to be nothing stopping them uploading all sorts of files. This is the same in the control panel “Publish” page. The file upload preferences clearly state that only images should be uploaded but this is seemingly being ignored.

    Any help in this matter will be really appreciated.

    If you require anymore details, post and let me know.

    Thanks.

    Moved to CodeShare Corner by Moderator

  • #2 / Aug 16, 2010 1:13pm

    Sue Crocker

    26054 posts

    If you turn off that extension, and attempt to upload without it, do you have the same problem?

  • #3 / Aug 17, 2010 5:23am

    Liam Spencer

    37 posts

    Hi Sue,

    Yes, if I turn the extension off and use ExpressionEngines native upload on the “Publish” page, it still allows me to upload files which are not images, despite the settings being set to “images only”.

  • #4 / Aug 17, 2010 5:30am

    Liam Spencer

    37 posts

    Just done further tests and it no longer allows me to upload PHP or Javascript files, but still can upload .html files. Is this normal? If so, thats cool, but I was led to believe Mark Huot’s File extension honored the native upload preferences. I understand the plugin is something you can’t help me with so if you feel the need to move this topic elsewhere, feel free! Thanks Sue.

  • #5 / Aug 17, 2010 8:26am

    Sue Crocker

    26054 posts

    Done!

  • #6 / Aug 17, 2010 9:12am

    Cem Meric

    210 posts

    Liam, out of curiosity why do you Mark’s extension?

  • #7 / Aug 17, 2010 9:41am

    Liam Spencer

    37 posts

    I used it as I found some tutorials around here on how to implement it in a SAEF and as part of an editable form. Would you recommend an extension that could do both easier than this one?

    nGen was another possibility and I’m so far down the line with this feature, I can barely remember why I didn’t go for it in the first place.

  • #8 / Aug 17, 2010 9:57am

    Cem Meric

    210 posts

    EE1 or EE2?

  • #9 / Aug 17, 2010 10:00am

    Liam Spencer

    37 posts

    EE1.

  • #10 / Aug 17, 2010 10:53am

    Cem Meric

    210 posts

    For EE1 I was using MX UniEditor which combines a WYSIWYG editor as well.

  • #11 / Aug 19, 2010 7:12am

    Liam Spencer

    37 posts

    Hi guys,

    I changed my extension to the nGen File Upload one, and whilst this stops the user uploading direct PHP scripts, the user can still upload a valid image which is a PHP script. This is a huge problem. The extension you posted above Cem was too much for what I actually needed for the client. It seems as though there is no file upload utiltity that is secure, apart from the ExpressionEngine native upload, which is not ideal for the user of a SAEF as we don’t want them seeing the control panel.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register