Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1868 closed New Feature (fixed)

File browser may be blocked because of possible "Path traversal" attack

Reported by: wwalc Owned by: alfonsoml
Priority: Normal Milestone:
Component: File Browser Version:
Keywords: Confirmed Review+ Cc:

Description

In Apache, mod_security is usually installed (http://www.modsecurity.org/) - it is commonly used to detect and prevent against possible attacks. Quick example from official mod_security site (http://www.modsecurity.org/documentation/quick-examples.html):

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

Similar rule is available in a "Apache 2.x rules" at http://www.gotroot.com/:

##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision si

The problem is that ../.. is used by FCKeditor:

http://www.fckeditor.net/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php

so it may be blocked in rare cases.

We should avoid passing ".." in urls.

Attachments (1)

1868.patch (2.1 KB) - added by alfonsoml 8 years ago.
Proposed SVN patch

Download all attachments as: .zip

Change History (6)

comment:1 Changed 8 years ago by fredck

  • Keywords Confirmed added

Changed 8 years ago by alfonsoml

Proposed SVN patch

comment:2 Changed 8 years ago by alfonsoml

  • Keywords Review? added
  • Owner set to alfonsoml
  • Status changed from new to assigned

Could you verify if this patch does fix the issue?

comment:3 Changed 8 years ago by wwalc

  • Keywords Review+ added; Review? removed

Ok, FCKeditor passes the "\.\." checks now.

comment:4 Changed 8 years ago by wwalc

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed with [1624].

comment:5 Changed 8 years ago by wwalc

..and [1627].

Note: See TracTickets for help on using tickets.
© 2003 – 2016 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy